Sometimes the wan connection needs time to be established (e.g. cold
boot after power loss) and the service may crash as the internet is
yet available. Add a trigger to reload the service once the wan
interface is up.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 52037eb625)
[based upon 23.05 branch]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Bump glib2 to 2.74.7 which fixes CVE-2023-29499, CVE-2023-32611,
CVE-2023-32636, CVE-2023-32643, CVE-2023-32665 and on top of that
backport CVE-2024-34397 fix from Debian Bookworm glib2 package
2.74.6-2+deb12u2. While at it refresh the patches so they apply cleanly.
References: https://security-tracker.debian.org/tracker/source-package/glib2.0
Fixes: CVE-2023-29499, CVE-2023-32611, CVE-2023-32636, CVE-2023-32643, CVE-2023-32665, CVE-2024-34397
Signed-off-by: Petr Štetiar <ynezz@true.cz>
1. to address the isssue of incomplement firwall rules
2. added support for gateway settings
Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
(cherry picked from commit d552c5733a)
* bugfix: users reported unexpected side effects with the newly introduced rpc-sys ubus service, reverted that part
*bugfix: made "tcpdump" optional
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 4803143a91)
* removal of a superfluous opkg code block (missed in the last commit)
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 9428ef4320)
* get rid of the opkg dependency
* fixed remaining hagezi category issues
* adblock still depends on 'gawk', but also accepts busybox awk. The readme describes two officially unsupported installation variants.
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 34db79bcd5)
Fixes CVEs:
- CVE-2024-1975: remove sig 0 support
- CVE-2024-4076: qctx-zversion was not being cleared when it should have been
leading to an assertion failure if it needed to be reused.
- CVE-2024-1737: An excessively large number of rrtypes per owner can slow
down database query processing, so a limit has been placed on the number of
rrtypes that can be stored per owner (node) in a cache or zone database. This
is configured with the new "max-rrtypes-per-name" option, and defaults to 100.
- CVE-2024-1737: Excessively large rdatasets can slow down database query
processing, so a limit has been placed on the number of records that can be
stored per rdataset in a cache or zone database. This is configured with the
new "max-records-per-type" option, and defaults to 100.
- CVE-2024-0760: Malicious DNS client that sends many queries over TCP but
never reads responses can cause server to respond slowly or not respond at
all for other clients.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This commit follows the upstream project's change of license from GPLv3
to MIT.
Link: 3175713e77
Signed-off-by: Ray Wang <r@hev.cc>
(cherry picked from commit 003b4e3696)
This version is the final version supporting iptables and:
* it separates the old iptables/nft-capable init script from the new nft-only init script
* the new nft-script is a significant rewrite of the old recursive calls/policy parsing
and tries to create inline nft sets which offers performance improvements
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 920d64734a)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* update license to AGPL-3.0-or-later
* rename pbr_get_gateway to pbr_get_gateway4 for better readability
* improve IPv6 "gateway" detection/display on start
* prevent IPv6 interface errors on start
* revert release format
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 717a800ec5)
* delete obsolete files/etc/init.d/pbr.init
* add files/etc/uci-defaults/91-pbr-iptables to help update from older OpenWrt
* add files/etc/uci-defaults/91-pbr-nft to help update from older OpenWrt
* update files/etc/uci-defaults/91-pbr-netifd to only add tables to supported ifaces
* re-organize variants in the Makefile so that they hopefull work this time
* update prerm for all variants for better user experience
* update the -netifd prerm to remove leftofver entries from network and rt_tables file
In the init script:
* add decorations for netifd-interfaces related operations (blue ticks)
* add rtTablesFile variables instead of hard-coding the rt_tables file
* add function to check if the table is netifd-derived
* add error messages/hints for failed interface setup and failed WAN discovery
* make cleanup_rt_tables the netifd-compatible
* streamline interface_process function with a clearer case statement
* rename the interface_process `pre-init` option to `pre_init` to conform to the other
functions options naming style
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit bb5de23743)
This update includes the following changes:
1. Makefile
* update copyright
* attempt to implement the proper variants to avoid luci-app dependency on both variants
* quietly stop service on uninstall
2. Config-file
* add the list of dnsmasq instances to target in supported dnsmasq modes
* for default pbr variant, set the `resolver_set` to `dnsmasq.nftset`
* for iptables pbr variant, set the `resolver_set` to `dnsmasq.ipset`
* add the `nft_file_support` (disabled by default)
* introduce `procd_boot_delay` to delay service start on boot
* introduce the following nft set creation options:
* nft_set_auto_merge
* nft_set_counter
* nft_set_flags_interval
* nft_set_flags_timeout
* nft_set_gc_interval
* nft_set_policy
* nft_set_timeout
* add the pbr.user.wg_server_and_client custom user script to allow running wg server and
client at the same time
* add the "Ignore Local Requests" sample policy
3. Hotplug firewall/interface scripts
* better logged messages
4. The pbr and pbr-iptables uci defaults script
* use functions from the init script
* improve vpn-policy-routing migration
5. The pbr-netifd uci defaults script
* use functions from the init script
* improve uci operations
6. Introduce the firewall.include file
7. Improve pbr.user.aws custom user script
8. Improve pbr.user.netflix custom user script
9. Introduce pbr.user.wg_server_and_client custom user script
10. Update the init file:
* refactor some code to allow the init script file to be sourced by the uci defaults scripts
and the luci rpcd script for shared functions
* add support for `nft_file_mode` in which service prepares the fw4-compatible atomic nft/include
file for faster operations on service reload
* improve Tor support (nft mode only)
* implement support for nft set options
* update validation functions for new options/parameters
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 790753f6a6)
Update the options to match the master branch. This drops options of no
longer supported GCC versions.
Signed-off-by: Richard Muzik <richard.muzik@nic.cz>
* added full 1Hosts feed support (4 categories)
* changed the OISD list sources to alternate wildcard domains syntax
* used only the adguard source in default config
* fixed a needless reload delay plus a few cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 875fcf3f12)
* new gawk dependency
* full hagezi support (all 32 categories)
* refine Stevenblack support
* refine whitelist handling
* fixed tcpdump command line for ports other than 53 (see #24685)
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 7b18f22e73)
go1.21.13 (released 2024-08-06) includes fixes to the go command,
the covdata command, and the bytes package.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
This version brings two significant updates:
* support for text labels/names for the external lists
* better processing of the config update files, which cleans up
entries with missing URLs
Also:
* new config file contains names for all lists
* it tries to match existing URLs with the names from the new config file
and update user config as part of uci-defaults script
* contains minor updates to copyright/license/upstream URL/README
* updates the config update script to remove sysctl.org list as it's outdated
* adds two new remote lists: Hagezi and 1Hosts
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 50e85ed27f)
Cherry-pick commit has been updated to reflect a different hash required for 23.05
Makefile:
* update to latest upstream version
* remove PKG_SOURCE_DATE/PKG_SOURCE_RELEASE as they are no longer needed
* set TARGET_CFLAGS/TARGET_LDFLAGS
* update CMAKE_OPTIONS
* add CONFIGURE_ARGS to prepare for building with HTTP/3
* update package URL to upstream repo instead of documentation
* update package/description
* add README.md with link to documentation
init-script:
* do not run within image builder
* add a line which can be uncommented to remove outdated doh_server entries
020-src-options.c-add-version.patch:
* remove it, as it's no longer needed with version set in CMAKE_OPTIONS
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 9e600ac071)
Remove the ancient package with experimental cake options,
from time when cake was not yet officially here.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit 217e4ecb35)
