Changelog: https://github.com/netbirdio/netbird/releases/tag/v0.66.2
NetBird `v0.66.x` adds support for exposing a local HTTP service
from the CLI with the `netbird expose`[1] command, but only for
self-hosted deployments. Cloud support is coming.
[1]: https://docs.netbird.io/manage/reverse-proxy/expose-from-cli
---
`0.65.x` highlights
Changelog: https://github.com/netbirdio/netbird/releases/tag/v0.65.3
NetBird `v0.65.x` now includes a built-in reverse proxy[1], but only for
self-hosted deployments and is currently in beta. Cloud support is
coming soon.
Important: pre-shared keys or Rosenpass are currently incompatible with
the reverse proxy feature.
[1]: https://docs.netbird.io/manage/reverse-proxy
---
`v0.63.x` highlights
Changelog: https://github.com/netbirdio/netbird/releases/tag/v0.63.0
NetBird now supports private DNS zones[1].
[1]: https://docs.netbird.io/manage/dns/custom-zones
---
`v0.62.x` highlights
Changelog: https://github.com/netbirdio/netbird/releases/tag/v0.62.3
Upstream minimum Go requirement raised from `v1.24.x` to `v1.25.x`,
see the go.mod[1].
[1]: https://github.com/netbirdio/netbird/blob/v0.62.3/go.mod#L3-L5
---
Building `netbird` with Go 1.26.x fails with errors:
```
[...]
/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go126.go:22:2: WaitReasonSelect redeclared in this block
/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go125.go:22:2: other declaration of WaitReasonSelect
/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go126.go:23:2: WaitReasonChanReceive redeclared in this block
/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go125.go:23:2: other declaration of WaitReasonChanReceive
/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go126.go:24:2: WaitReasonSemacquire redeclared in this block
/builder/dl/go-mod-cache/gvisor.dev/gvisor@v0.0.0-20251031020517-ecfcdd2f171c/pkg/sync/runtime_constants_go125.go:24:2: other declaration of WaitReasonSemacquire
[...]
```
Upstream Issue: https://github.com/netbirdio/netbird/issues/5290
Upstream PR: https://github.com/netbirdio/netbird/pull/5447
Signed-off-by: Wesley Gimenes <wehagy@proton.me>
(cherry picked from commit df6533b96e)
Add `NB_DNS_STATE_FILE="/var/lib/netbird/state.json"` to the init
environment. This moves the state from the directory
`/root/.config/netbird` to the file `/var/lib/netbird/state.json` to
avoid storage wear. Note: the file is not preserved across reboots.
The state file contains information such as locally disabled routes and
other data primarily useful for desktop clients. In OpenWrt setups,
these changes are normally handled by the NetBird `management` server.
This matches the behavior prior to `netbird` v0.52.x, I have not
received any reports that this file caused problems before, so it is
unlikely to cause issues now.
The previous state file `/root/.config/netbird/state.json` can be removed.
Signed-off-by: Wesley Gimenes <wehagy@proton.me>
(cherry picked from commit 696c2b6096)
Use wan_$DEVICENAME naming scheme instead of using consecutive numbering
for the network name.
This makes it easier to match the network interface to the corresponding
network.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
(cherry picked from commit 1cb70a0b3c)
Set the device option for the network. This is solely for the ease of
matching the network to the corresponding network interface.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
(cherry picked from commit 6990436459)
* add support for OpenVPN netifd detection (thanks @egc112)
* add support for disable LAN->WAN forwarding when `strict_enforcement` is
set on start and restart (thanks @egc112)
* fix: always create marking chains for interfaces
* fix: insert DSCP/ICMP-related nft rules after marking chains
* fix: shellcheck-related improvements
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit e799f47439)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bugfix: always print errors/warnings on non-quiet start
* bugfix: return proper enabled status in RPCD
* bugfix: return stupped status in RPCD when procd data is empty
* bugfix: correctly process verbosity=0
* delete LICENSE file and only keep it upstream
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 0058dd1233)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* the suspend/resume function now uses the external
DNS bridge when this function is used
* refine the f_nftadd function
* more file debug logging
* LuCI: add unfiltered DNS-Server to the DNS bridge selection
* LuCI: minor fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 5a495b2240)
* fixed the debug errorfile handling
* fixed a typo in the nftadd function
* minor cornercase improvements
* LuCI: minor cleanups & fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 57ec85084c)
acme 3.1.2 added a new --cert-profile option to request specific certificates.
This makes it possible to request shortlived six day certificates from Letsencrypt.
Signed-off-by: Norman Gehrsitz <openwrt@gehrsitz.eu>
bsbf-autoconf-cellular creates a network with MBIM or QMI protocol using a
newly created network interface. It uses metric values from 1 to 8.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
(cherry picked from commit a6be73da21)
Designate bsbf-openwrt-resources as the package to contain the BSBF
packages without a remote source to fetch.
Move bsbf-bonding and bsbf-usb-netdev-autodhcp into bsbf-openwrt-resources.
Change bsbf-usb-netdev-autodhcp to bsbf-autoconf-dhcp along with the logic.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
(cherry picked from commit 6037422f53)
* bugfix: support TMP and final block-list destination on different
partitions
* update pause-related code/defaults/validation
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 5ad634eac9)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
bsbf-bonding configures the system for the BondingShouldBeFree bonding
solution client.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
(cherry picked from commit 292214e76a)
bsbf-usb-netdev-autodhcp creates a network with a DHCP client using a newly
created network interface. It uses metric values from 1 to 8.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
(cherry picked from commit fea7b41d64)
bsbf-resources contains the resources for the BondingShouldBeFree bonding
solution client.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
(cherry picked from commit e69b0b24fa)
TCP-in-UDP is a lightweight TCP in UDP tunnel utilising eBPF.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
(cherry picked from commit ea1ea71298)
* add explicit LICENSE file to the repository
* pretty up Makefile
* minor shell script styling improvements
* better parsing if individual dnsmasq instances are used in config
* functional test
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit eea712197e)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* bugfix: don't mask RFC1918 in the support output
* bugfix: proper processing of downed interfaces
Thanks to everyone who reported/tested and @egc112 for collecting feedback.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit abff4ba825)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* added a new firewall feature: the DNS‑Bridge.
This temporary DNS bridge ensures that an external fallback DNS server
is automatically used during local DNS restarts, providing Zero‑Downtime DNS resolution.
* The debug mode now captures internal error output in a dedicated log file,
located by default in the adblock base directory as /tmp/adb_error.log.
* LuCI: exposed the previously missing adb_cores option (auto‑detected by default).
* LuCI: added support for the new DNS‑Bridge options (Zero‑Downtime during DNS restarts).
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit d4a62496f9)
Contains a bugfix for cake_mq. Also add 'ip' as a dependency to be able
to create multi-queue ifb devices.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Move START and STOP to be within the first 10 lines so they can be
properly detected by procd.
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit 779b1ef2aa)
* support the new possible nft expiry options in the backend as well
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 091ba82c38)
This software is no longer maintained, and upstream
repo has been archived.
No package depends on this.
Signed-off-by: Yanase Yuki <dev@zpc.st>
(cherry picked from commit 1d876b0894)
* fixed a busybox awk problem in the new scan function
* minor cleanups
* LuCI: more eslint fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 559c6c7dec)
* rework wlan scanning
- drop iw/ip - use ubus/iwinfo calls instead
- build a new, central wlan scan function (used in LuCI and during
* simplify uci config parsing
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 7431a315ba)
- Add nat to the default [IN|E]GRESS_CAKE_OPTS in defaults.sh
- Add support for cake_mq
Signed-off-by: Rany Hany <rany_hany@riseup.net>
(cherry picked from commit 7f4a121db5)
For reasons that have not been investigated in detail, the package blocks
during 'postinst' with the new 'apk' backend when the package is installed
on the target.
After much back and forth, it turned out that the '/etc/init.d/ddns start'
command is responsible for this. The call is blocking.
The command '/etc/init.d/ddns enabled' in the 'postinst' also makes no sense
here, as it only checks whether the ddns service is enabled. The return value
is not checked at all. And the 'prerm' script is also not needed, as the
calls made there are implicitly called during package deinstallation.
Therefore, this commit removes the entire and not needed 'postinst' and
'prerm' script call.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 34d0684be1)
This was overlooked. Therefore, the package could not be built.
Fixes: e9fe0249f6 ("ddns-scripts: Fix Hetzner Cloud naming")
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 2b6adb9ae7)
In the original commit I used the wrong name for the package in the
Makefile and various other files which caused the package to not build.
Unify the naming to "cloud" to fix the package build.
Fixes: 5ee205bd31 ("ddns-scripts: add Hetzner Cloud support")
Signed-off-by: Christopher Obbard <obbardc@gmail.com>
(cherry picked from commit 081b7043c3)
Add a new Hetzner DDNS provider using the Hetzner Cloud API
(api.hetzner.cloud) with Bearer token authentication.
Configuration guide:
* set [domain] to domain
* set [username] to subdomain (without domain)
* set [password] to Bearer API key
Signed-off-by: Christopher Obbard <obbardc@gmail.com>
(cherry picked from commit 5ee205bd31)
new service provider namesilo.com
config guide:
* set [domain] to apex domain
* set [username] to subdomain (without apex domain)
* set [password] to api key
Signed-off-by: Lin Fan <im.linfan@gmail.com>
(cherry picked from commit 1199a40351)
Redirect stdout and stderr to /dev/null when starting/restarting the ddns
service in the background. Without this redirection, file descriptors are
inherited by the child process, preventing proper process detachment and
causing luci's XHR requests to timeout.
(cherry picked from commit afd01e3034)
Added logic to extract and match DNS record ID from parameters,
with fallback to default selection if no match is found.
Signed-off-by: QiLei Niu <qilei.niu@gmail.com>
(cherry picked from commit ae659deb40)
Add missing provider entry for apertodns.com-token.
The service configuration (apertodns.com-token.json) was already
merged in PR #28160, but the provider list entry was missing.
Signed-off-by: Andrea Ferro <support@apertodns.com>
(cherry picked from commit 3a4b906a36)
Add support for ApertoDNS dynamic DNS service with two configuration
options:
- apertodns.com: Standard DynDNS2 compatible authentication (user/pass)
- apertodns.com-token: Token-based authentication for DDNS clients
Both configurations support IPv4 and IPv6 updates via the standard
/nic/update endpoint.
Signed-off-by: Andrea Ferro <support@apertodns.com>
(cherry picked from commit 6265fab8ce)
Chester A. Unal
Wesley Gimenes
Stan Grishin
Dirk Brenken
Norman Gehrsitz
Toke Høiland-Jørgensen
George Sapkin
Yanase Yuki
Goetz Goerisch
Rany Hany
Ray Wang
Christian Lachner
Florian Eckert
Christopher Obbard
Lin Fan
Juan Antonio
monokoo
Andrea Ferro