diff options
52 files changed, 1300 insertions, 214 deletions
diff --git a/ipv6/generate-ipv6-address/Makefile b/ipv6/generate-ipv6-address/Makefile index 0d696d1ad..701b3c78d 100644 --- a/ipv6/generate-ipv6-address/Makefile +++ b/ipv6/generate-ipv6-address/Makefile @@ -7,7 +7,6 @@ PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=generate-ipv6-address-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.irif.fr/~jch/software/files/ PKG_HASH:=e1356d245d5f891fa39b796a8a2deefdaa89f08130dc97a378738ca5ed9a20fa -PKG_INSTALL:=1 PKG_MAINTAINER:=Nick Hainke <vincent@systemli.org> PKG_LICENSE:=MIT @@ -27,12 +26,13 @@ define Package/generate-ipv6-address/description address (an Ethernet hardware address) or a randomly drawn host number. endef -MAKE_FLAGS += \ - PREFIX="$(PKG_INSTALL_DIR)/usr" +define Build/Compile + $(TARGET_CC) $(TARGET_CFLAGS) $(TARGET_LDFLAGS) $(PKG_BUILD_DIR)/generate-ipv6-address.c -o $(PKG_BUILD_DIR)/generate-ipv6-address +endef define Package/generate-ipv6-address/install $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/generate-ipv6-address $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_BUILD_DIR)/generate-ipv6-address $(1)/usr/bin/ endef $(eval $(call BuildPackage,generate-ipv6-address)) diff --git a/lang/node/Makefile b/lang/node/Makefile index 126b79641..65e9bbdc3 100644 --- a/lang/node/Makefile +++ b/lang/node/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=node PKG_VERSION:=v14.16.1 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION) diff --git a/lang/node/patches/999-fix_icu_conflict.patch b/lang/node/patches/999-fix_icu_conflict.patch new file mode 100644 index 000000000..0a4170a9e --- /dev/null +++ b/lang/node/patches/999-fix_icu_conflict.patch @@ -0,0 +1,74 @@ +--- a/tools/icu/icu-generic.gyp ++++ b/tools/icu/icu-generic.gyp +@@ -181,6 +181,7 @@ + '<(icu_path)/source/i18n/uspoof_wsconf.h', + ]}], + ], ++ 'include_dirs!': [ '<!@(echo "$STAGING_DIR"/usr/include)' ], + 'include_dirs': [ + '<(icu_path)/source/i18n', + ], +@@ -189,6 +190,7 @@ + ], + 'dependencies': [ 'icuucx', 'icu_implementation', 'icu_uconfig', 'icu_uconfig_target' ], + 'direct_dependent_settings': { ++ 'include_dirs!': [ '<!@(echo "$STAGING_DIR"/usr/include)' ], + 'include_dirs': [ + '<(icu_path)/source/i18n', + ], +@@ -275,6 +277,7 @@ + # full data - no trim needed + 'sources': [ '<(SHARED_INTERMEDIATE_DIR)/icudt<(icu_ver_major)_dat.<(icu_asm_ext)' ], + 'dependencies': [ 'genccode#host', 'icupkg#host', 'icu_implementation#host', 'icu_uconfig' ], ++ 'include_dirs!': [ '<!@(echo "$STAGING_DIR"/usr/include)' ], + 'include_dirs': [ + '<(icu_path)/source/common', + ], +@@ -359,6 +362,7 @@ + # This file contains the small ICU data + 'sources': [ '<(SHARED_INTERMEDIATE_DIR)/icusmdt<(icu_ver_major)_dat.<(icu_asm_ext)' ], + # for umachine.h ++ 'include_dirs!': [ '<!@(echo "$STAGING_DIR"/usr/include)' ], + 'include_dirs': [ + '<(icu_path)/source/common', + ], +@@ -375,6 +379,7 @@ + 'sources': [ + '<@(icu_src_stubdata)' + ], ++ 'include_dirs!': [ '<!@(echo "$STAGING_DIR"/usr/include)' ], + 'include_dirs': [ + '<(icu_path)/source/common', + ], +@@ -443,6 +448,7 @@ + '_XOPEN_SOURCE_EXTENDED=0', + ]}], + ], ++ 'include_dirs!': [ '<!@(echo "$STAGING_DIR"/usr/include)' ], + 'include_dirs': [ + '<(icu_path)/source/common', + ], +@@ -452,6 +458,7 @@ + 'cflags_c': ['-std=c99'], + 'export_dependent_settings': [ 'icu_uconfig', 'icu_uconfig_target' ], + 'direct_dependent_settings': { ++ 'include_dirs!': [ '<!@(echo "$STAGING_DIR"/usr/include)' ], + 'include_dirs': [ + '<(icu_path)/source/common', + ], +@@ -482,6 +489,7 @@ + '<(icu_path)/source/tools/toolutil/dbgutil.cpp', + '<(icu_path)/source/tools/toolutil/dbgutil.h', + ], ++ 'include_dirs!': [ '<!@(echo "$STAGING_DIR"/usr/include)' ], + 'include_dirs': [ + '<(icu_path)/source/common', + '<(icu_path)/source/i18n', +@@ -501,6 +509,7 @@ + }] + ], + 'direct_dependent_settings': { ++ 'include_dirs!': [ '<!@(echo "$STAGING_DIR"/usr/include)' ], + 'include_dirs': [ + '<(icu_path)/source/common', + '<(icu_path)/source/i18n', diff --git a/libs/boost/Makefile b/libs/boost/Makefile index 04052dcbb..16b06ac0c 100644 --- a/libs/boost/Makefile +++ b/libs/boost/Makefile @@ -11,13 +11,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=boost -PKG_VERSION:=1.75.0 -PKG_SOURCE_VERSION:=1_75_0 -PKG_RELEASE:=3 +PKG_VERSION:=1.76.0 +PKG_SOURCE_VERSION:=1_76_0 +PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)_$(PKG_SOURCE_VERSION).tar.bz2 PKG_SOURCE_URL:=@SF/$(PKG_NAME)/$(PKG_NAME)/$(PKG_VERSION) https://dl.bintray.com/boostorg/release/$(PKG_VERSION)/source/ -PKG_HASH:=953db31e016db7bb207f11432bef7df100516eeb746843fa0486a222e3fd49cb +PKG_HASH:=f0397ba6e982c4450f27bf32a2a83292aba035b827a5623a14636ea583318c41 PKG_MAINTAINER:=Carlos M. Ferreira <carlosmf.pt@gmail.com> PKG_LICENSE:=BSL-1.0 @@ -42,7 +42,7 @@ define Package/boost/Default endef define Package/boost/description -This package provides the Boost v1.75.0 libraries. +This package provides the Boost v1.76.0 libraries. Boost is a set of free, peer-reviewed, portable C++ source libraries. This package provides the following run-time libraries: @@ -77,7 +77,7 @@ This package provides the following run-time libraries: - wave There are many more header-only libraries supported by Boost. -See more at http://www.boost.org/doc/libs/1_75_0/ +See more at http://www.boost.org/doc/libs/1_76_0/ endef PKG_BUILD_DEPENDS:=boost/host diff --git a/libs/boost/patches/020-mips64-fiber.patch b/libs/boost/patches/010-mips64-fiber.patch index 10d46d88b..768c4b21b 100644 --- a/libs/boost/patches/020-mips64-fiber.patch +++ b/libs/boost/patches/010-mips64-fiber.patch @@ -4,7 +4,7 @@ # else # define cpu_relax() asm volatile ("nop" ::: "memory"); # endif --#elif BOOST_ARCH_MIPS && (__mips_isa_rev > 1) +-#elif BOOST_ARCH_MIPS && (__mips_isa_rev > 1) && !defined(_MIPS_ARCH_OCTEONP) +#elif BOOST_ARCH_MIPS && (((__mips_isa_rev > 1) && defined(__mips32)) || ((__mips_isa_rev > 2) && defined(__mips64))) # define cpu_relax() asm volatile ("pause" ::: "memory"); #elif BOOST_ARCH_PPC diff --git a/libs/boost/patches/010-mips64.patch b/libs/boost/patches/010-mips64.patch deleted file mode 100644 index 513e206b4..000000000 --- a/libs/boost/patches/010-mips64.patch +++ /dev/null @@ -1,70 +0,0 @@ ---- a/libs/context/src/asm/jump_mips64_n64_elf_gas.S -+++ b/libs/context/src/asm/jump_mips64_n64_elf_gas.S -@@ -67,7 +67,7 @@ jump_fcontext: - sd $ra, 144($sp) # save RA - sd $ra, 152($sp) # save RA as PC - -- -+#if defined(__mips_hard_float) - s.d $f24, 0($sp) # save F24 - s.d $f25, 8($sp) # save F25 - s.d $f26, 16($sp) # save F26 -@@ -76,6 +76,7 @@ jump_fcontext: - s.d $f29, 40($sp) # save F29 - s.d $f30, 48($sp) # save F30 - s.d $f31, 56($sp) # save F31 -+#endif - - # store SP (pointing to old context-data) in v0 as return - move $v0, $sp -@@ -83,6 +84,7 @@ jump_fcontext: - # get SP (pointing to new context-data) from a0 param - move $sp, $a0 - -+#if defined(__mips_hard_float) - l.d $f24, 0($sp) # restore F24 - l.d $f25, 8($sp) # restore F25 - l.d $f26, 16($sp) # restore F26 -@@ -91,6 +93,7 @@ jump_fcontext: - l.d $f29, 40($sp) # restore F29 - l.d $f30, 48($sp) # restore F30 - l.d $f31, 56($sp) # restore F31 -+#endif - - ld $s0, 64($sp) # restore S0 - ld $s1, 72($sp) # restore S1 ---- a/libs/context/src/asm/ontop_mips64_n64_elf_gas.S -+++ b/libs/context/src/asm/ontop_mips64_n64_elf_gas.S -@@ -67,7 +67,7 @@ ontop_fcontext: - sd $ra, 144($sp) # save RA - sd $ra, 152($sp) # save RA as PC - -- -+#if defined(__mips_hard_float) - s.d $f24, 0($sp) # save F24 - s.d $f25, 8($sp) # save F25 - s.d $f26, 16($sp) # save F26 -@@ -76,6 +76,7 @@ ontop_fcontext: - s.d $f29, 40($sp) # save F29 - s.d $f30, 48($sp) # save F30 - s.d $f31, 56($sp) # save F31 -+#endif - - # store SP (pointing to context-data) in t0 - move $t0, $sp -@@ -83,6 +84,7 @@ ontop_fcontext: - # restore SP (pointing to context-data) from a0 - move $sp, $a0 - -+#if defined(__mips_hard_float) - l.d $f24, 0($sp) # restore F24 - l.d $f25, 8($sp) # restore F25 - l.d $f26, 16($sp) # restore F26 -@@ -91,6 +93,7 @@ ontop_fcontext: - l.d $f29, 40($sp) # restore F29 - l.d $f30, 48($sp) # restore F30 - l.d $f31, 56($sp) # restore F31 -+#endif - - ld $s0, 64($sp) # restore S0 - ld $s1, 72($sp) # restore S1 diff --git a/libs/gnu-efi/Makefile b/libs/gnu-efi/Makefile new file mode 100644 index 000000000..58660c9ad --- /dev/null +++ b/libs/gnu-efi/Makefile @@ -0,0 +1,56 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=gnu-efi +PKG_VERSION:=3.0.9 +PKG_RELEASE:=$(AUTORELEASE) + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/vathpela/gnu-efi.git +PKG_SOURCE_DATE:=2021-04-11 +PKG_SOURCE_VERSION:=3e4d5c79905afcd815b0beb3dcfe2dfae5b3e6dd +PKG_MIRROR_HASH:=7660d2259c1d5208bcabee5a0ffb6dc61f41363a79ba9158f3dd413a8af8e238 +PKG_BUILD_PARALLEL:=1 + +PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com> +PKG_LICENSE_FILES:=README.efilib + +include $(INCLUDE_DIR)/package.mk + +define Package/gnu-efi + SECTION:=libs + CATEGORY:=Libraries + TITLE:=GNU's EFI library + URL:=https://github.com/vathpela/gnu-efi + HIDDEN:=1 + DEPENDS:=@TARGET_x86_64 +endef + +define Package/gnu-efi/description + GNU's EFI library +endef + +define Build/Install + $(MAKE_VARS) \ + $(MAKE) -C $(PKG_BUILD_DIR)/$(MAKE_PATH) \ + $(MAKE_INSTALL_FLAGS) \ + INSTALLROOT=$(PKG_INSTALL_DIR) \ + install +endef + +define Package/gnu-efi/install + $(INSTALL_DIR) $(1)/usr/lib + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/local/lib/** $(1)/usr/lib/ +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/lib $(1)/usr/include/efi + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/local/lib/** $(1)/usr/lib/ + cp -aR $(PKG_INSTALL_DIR)/usr/local/include/efi/** $(1)/usr/include/efi/ +endef + +$(eval $(call BuildPackage,gnu-efi)) diff --git a/libs/libtalloc/Makefile b/libs/libtalloc/Makefile index 6f3bc133b..a1209784f 100644 --- a/libs/libtalloc/Makefile +++ b/libs/libtalloc/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=talloc PKG_VERSION:=2.3.1 MAJOR_VERSION:=2 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.samba.org/ftp/talloc @@ -18,6 +18,7 @@ PKG_MAINTAINER:=Ted Hess <thess@kitschensync.net> PKG_LICENSE:=LGPL-3.0-or-later PKG_BUILD_PARALLEL:=0 +PKG_BUILD_DEPENDS:=python3/host include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/kernel.mk diff --git a/libs/uci2/Makefile b/libs/uci2/Makefile index 3f1b5f0a3..6c1dbf23d 100644 --- a/libs/uci2/Makefile +++ b/libs/uci2/Makefile @@ -6,8 +6,8 @@ PKG_RELEASE:=1 PKG_SOURCE_URL:=https://github.com/sartura/uci2.git PKG_SOURCE_PROTO:=git -PKG_SOURCE_VERSION:=89056741c0c4048dafa822fef228c555fc41deff -PKG_MIRROR_HASH:=e376e8aec6054405a2e9616a1dc51b86d68d6cfac87d84e8a98ea1714883dfaf +PKG_SOURCE_VERSION:=24b7471a0aead99115c189f04236f5fe52492579 +PKG_MIRROR_HASH:=ea8f4627163ce40f62393a87a0155869f034bb78c9f7fb644f18461cbdaf5333 PKG_MAINTAINER:=Jakov Petrina <jakov.petrina@sartura.hr> PKG_LICENSE:=BSD-3-Clause diff --git a/net/atlas-sw-probe/Makefile b/net/atlas-sw-probe/Makefile index b4cc2f318..41043749c 100644 --- a/net/atlas-sw-probe/Makefile +++ b/net/atlas-sw-probe/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=atlas-sw-probe PKG_VERSION:=5020 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/RIPE-NCC/ripe-atlas-software-probe.git @@ -30,7 +30,7 @@ define Package/atlas-sw-probe CATEGORY:=Network TITLE:=RIPE Atlas software probe URL:=https://atlas.ripe.net/about/probes/ - DEPENDS:=+atlas-probe + DEPENDS:=+atlas-probe +PACKAGE_dropbear:dropbearconvert endef define Package/atlas-sw-probe/description @@ -68,6 +68,7 @@ exit 0 endef define Package/atlas-sw-probe/conffiles +/etc/atlas/ /etc/config/atlas /usr/libexec/atlas-probe-scripts/state/config.txt endef @@ -104,6 +105,10 @@ define Package/atlas-sw-probe/install # Fix permision chmod 755 $(1)/$(SCRIPTS_DIR)/bin + # Add registration instruction + $(INSTALL_DIR) $(1)/etc/atlas/ + $(CP) ./files/atlas.readme $(1)/etc/atlas/ + # Create softlinks for writable dirs $(LN) $(TMP_BASE_DIR)/crons $(1)/$(SCRIPTS_DIR)/crons $(LN) $(TMP_BASE_DIR)/data $(1)/$(SCRIPTS_DIR)/data diff --git a/net/atlas-sw-probe/files/atlas.conf b/net/atlas-sw-probe/files/atlas.conf index d2a12a523..77a47c0af 100644 --- a/net/atlas-sw-probe/files/atlas.conf +++ b/net/atlas-sw-probe/files/atlas.conf @@ -2,3 +2,4 @@ config atlas 'common' option log_stderr '1' option log_stdout '0' option rxtxrpt '1' + option username '' diff --git a/net/atlas-sw-probe/files/atlas.init b/net/atlas-sw-probe/files/atlas.init index c5495cd9a..bc826c002 100644 --- a/net/atlas-sw-probe/files/atlas.init +++ b/net/atlas-sw-probe/files/atlas.init @@ -2,12 +2,13 @@ USE_PROCD=1 START=30 -EXTRA_COMMANDS="get_key probeid log create_backup load_backup" +EXTRA_COMMANDS="get_key probeid log create_backup load_backup create_key" EXTRA_HELP=" get_key print probe public key (used for probe registration) probeid print probe id log print probe status log create_backup backup ssh key to tar.gz load_backup 'backup.tar.gz' load backup ssh key from tar.gz + create_key create probe priv/pub key " SCRIPTS_DIR="/usr/libexec/atlas-probe-scripts" @@ -57,6 +58,58 @@ create_backup() { fi } +create_key() { + local username + local probe_key=/etc/atlas/probe_key + local probe_pub_key=/etc/atlas/probe_key.pub + + config_load atlas + + config_get username "common" username + + if [ -f "$PRIV_KEY_FILE" ]; then + if [ ! -f $probe_key ]; then + print_msg "Missing probe_key in /etc/atlas" + print_msg "The key will be lost on sysupgrade. Cosider moving the keys in /etc/atlas and create a link in the $SCRIPTS_DIR/etc/ dir." + fi + + print_msg "probe_key already present. Exiting..." + exit 1 + fi + + if [ -z "$username" ]; then + print_msg "Username not set in atlas config file. Enter your ripe-atlas username." + exit 1 + fi + + if [ -n "$(which ssh-keygen)" ]; then + ssh-keygen -t rsa -b 2048 -f $probe_key -N "" + sed -i "s/ \S*$/ "$username"/" $probe_pub_key + elif [ -n "$(which dropbearkey)" ] && [ -n "$(which dropbearconvert)" ]; then + local public_key + + public_key="$(dropbearkey -t rsa -f /etc/atlas/probe_key_dropbear -s 2048 | sed -n 2p)" + public_key="$(echo "$public_key" | sed "s/ \S*$/ "$username"/")" + echo $public_key > $probe_pub_key + dropbearconvert dropbear openssh /etc/atlas/probe_key_dropbear $probe_key + rm /etc/atlas/probe_key_dropbear + else + print_msg "Can't find a way to generate key." + exit 1 + fi + + #Link priv/pub key + [ -f $PRIV_KEY_FILE ] || ln -s $probe_key $PRIV_KEY_FILE + [ -f $PRIV_KEY_FILE ] || ln -s $probe_pub_key $PUB_KEY_FILE + + #Fix permission + chown atlas $probe_key $probe_pub_key + chgrp atlas $probe_key $probe_pub_key + chmod 644 $probe_key $probe_pub_key + + print_msg "Key generated successfully. Use the get_key command to show the public key and get instruction on how to register your probe." +} + log() { if [ -f "$LOG_FILE" ];then tail "$LOG_FILE" @@ -155,6 +208,12 @@ start_service() { local rxtxrpt local test_setting + if [ ! -f $PRIV_KEY_FILE ]; then + print_msg "Missing probe_key. To init the key follow instruction in /etc/atlas/atlas.readme" + print_msg "Assuming atlas-sw-probe not init. Exiting..." + exit 1 + fi + create_tmp_dirs config_load atlas diff --git a/net/atlas-sw-probe/files/atlas.readme b/net/atlas-sw-probe/files/atlas.readme new file mode 100644 index 000000000..ec446210f --- /dev/null +++ b/net/atlas-sw-probe/files/atlas.readme @@ -0,0 +1,12 @@ +# Atlas probe setup instruction
+
+The atlas probe software requires a rsa 2048-4096 key for registration.
+
+Follow these steps to register your probe on the ripe-atlas systems.
+1. Insert your username in the atlas config file (/etc/config/atlas)
+2. Use the command '/etc/init.d/atlas create_key' to create a priv/pub key.
+3. The priv/pub key will be stored on the directory /etc/atlas/
+4. Use the command '/etc/init.d/atlas get_key' to get the public key used for probe registration.
+ Make sure to copy the entire key and that the last value is the correct username
+5. Follow the instruction from the past command or go to 'https://atlas.ripe.net/apply/swprobe/'
+ and register your probe.
diff --git a/net/banip/Makefile b/net/banip/Makefile index 9f0a86540..4ae1b2339 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.7.6 +PKG_VERSION:=0.7.7 PKG_RELEASE:=2 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> diff --git a/net/banip/files/README.md b/net/banip/files/README.md index c9aadb32f..df9563835 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -50,6 +50,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * auto-add unsuccessful LuCI, nginx or ssh login attempts via 'dropbear'/'sshd' to local blacklist * auto-add the uplink subnet to local whitelist * black- and whitelist also accept domain names as input to allow IP filtering based on these names +* supports a 'whitelist only' mode, this option allows to restrict Internet access from/to a small number of secure websites/IPs * provides a small background log monitor to ban unsuccessful login attempts in real-time * per source configuration of SRC (incoming) and DST (outgoing) * integrated IPSet-Lookup @@ -122,6 +123,7 @@ Available commands: | ban_logdst_enabled | option | 0 | enable the dst-related logchain | | ban_autoblacklist | option | 1 | add suspicious IPs automatically to the local blacklist | | ban_autowhitelist | option | 1 | add wan IPs/subnets automatically to the local whitelist | +| ban_whitelistonly | option | 0 | allow to restrict Internet access from/to a small number of secure websites/IPs | | ban_maxqueue | option | 4 | size of the download queue to handle downloads and processing in parallel | | ban_reportdir | option | /tmp/banIP-Report | directory where banIP stores the report files | | ban_backupdir | option | /tmp/banIP-Backup | directory where banIP stores the compressed backup files | @@ -206,18 +208,17 @@ Available commands: ~# /etc/init.d/banip status ::: banIP runtime information + status : enabled - + version : 0.7.5 - + ipset_info : 27 IPSets with 280704 IPs/Prefixes - + active_sources : blacklist, country, darklist, debl, doh, drop, dshield, feodo, firehol1, greensnow, iblockspy, nix - spam, sslbl, talos, threat, tor, uceprotect1, voip, whitelist, yoyo - + active_devs : eth3 - + active_ifaces : wan, wan6 - + active_logterms : dropbear, luci - + active_subnets : xxx.xxx.x.xxx/24, xxxx:xxxx:xxxx:0:xxxx:xxxx:xxxx:xxxx/64 - + run_infos : settype: src+dst, backup_dir: /mnt/data/banIP/backup, report_dir: /mnt/data/banIP/report - + run_flags : protocols (4/6): ✔/✔, log (src/dst): ✔/✘, monitor: ✔, mail: ✔ - + last_run : refresh, 0m 15s, 4019/3743/3784, 15.03.2021 09:28:01 - + system : PC Engines apu4, OpenWrt SNAPSHOT r16186-bf4aa0c6a2 + + version : 0.7.7 + + ipset_info : 2 IPSets with 30 IPs/Prefixes + + active_sources : whitelist + + active_devs : wlan0 + + active_ifaces : trm_wwan, trm_wwan6 + + active_logterms : dropbear, sshd, luci, nginx + + active_subnets : xxx.xxx.xxx.xxx/24, xxxx:xxxx:xxxx:xx::xxx/128 + + run_infos : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report + + run_flags : protocols (4/6): ✔/✔, log (src/dst): ✔/✘, monitor: ✔, mail: ✘, whitelist only: ✔ + + last_run : restart, 0m 3s, 122/30/14, 21.04.2021 20:14:36 + + system : TP-Link RE650 v1, OpenWrt SNAPSHOT r16574-f7e00d81bc </code></pre> **black-/whitelist handling:** @@ -225,6 +226,9 @@ banIP supports a local black & whitelist (IPv4, IPv6, CIDR notation or domain na Unsuccessful LuCI logins, suspicious nginx request or ssh login attempts via 'dropbear'/'sshd' could be tracked and automatically added to the local blacklist (see the 'ban_autoblacklist' option). Furthermore the uplink subnet could be automatically added to local whitelist (see 'ban_autowhitelist' option). The list behaviour could be further tweaked with different timeout and counter options (see the config options section above). Last but not least, both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be resolved in a detached background process and added to the IPsets. The detached name lookup takes place only during 'restart' or 'reload' action, 'start' and 'refresh' actions are using an auto-generated backup instead. +**whitelist-only mode:** +banIP supports a "whitelist only" mode. This option allows to restrict the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the whitelist are blocked. Please note: suspend/resume does not work in this mode. + **generate an IPSet report:** <pre><code> ~# /etc/init.d/banip report diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh index 5e80ee291..816f2c348 100755 --- a/net/banip/files/banip.sh +++ b/net/banip/files/banip.sh @@ -12,7 +12,7 @@ export LC_ALL=C export PATH="/usr/sbin:/usr/bin:/sbin:/bin" set -o pipefail -ban_ver="0.7.6" +ban_ver="0.7.7" ban_enabled="0" ban_mail_enabled="0" ban_proto4_enabled="0" @@ -23,6 +23,7 @@ ban_monitor_enabled="0" ban_autodetect="1" ban_autoblacklist="1" ban_autowhitelist="1" +ban_whitelistonly="0" ban_logterms="" ban_loglimit="100" ban_ssh_logcount="3" @@ -240,7 +241,7 @@ f_conf() fi ban_localsources="${ban_localsources:-"maclist whitelist blacklist"}" ban_logterms="${ban_logterms:-"dropbear sshd luci nginx"}" - f_log "debug" "f_conf ::: ifaces: ${ban_ifaces:-"-"}, chain: ${ban_chain}, set_type: ${ban_global_settype}, log_chains (src/dst): ${ban_logchain_src}/${ban_logchain_dst}, targets (src/dst): ${ban_target_src}/${ban_target_dst}" + f_log "debug" "f_conf ::: ifaces: ${ban_ifaces:-"-"}, chain: ${ban_chain}, set_type: ${ban_global_settype}, log_chains (src/dst): ${ban_logchain_src}/${ban_logchain_dst}, targets (src/dst): ${ban_target_src}/${ban_target_dst}, whitelist_only: ${ban_whitelistonly}" f_log "debug" "f_conf ::: lan_inputs (4/6): ${ban_lan_inputchains_4}/${ban_lan_inputchains_6}, lan_forwards (4/6): ${ban_lan_forwardchains_4}/${ban_lan_forwardchains_6}, wan_inputs (4/6): ${ban_wan_inputchains_4}/${ban_wan_inputchains_6}, wan_forwards (4/6): ${ban_wan_forwardchains_4}/${ban_wan_forwardchains_6}" f_log "debug" "f_conf ::: local_sources: ${ban_localsources:-"-"}, extra_sources: ${ban_extrasources:-"-"}, log_terms: ${ban_logterms:-"-"}, log_prefixes (src/dst): ${ban_logprefix_src}/${ban_logprefix_dst}, log_options (src/dst): ${ban_logopts_src}/${ban_logopts_dst}" } @@ -547,6 +548,10 @@ f_iptables() f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} src -j RETURN" elif [ "${src_name%_*}" = "whitelist" ] then + f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_logtarget_src}" + f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_logtarget_dst}" + f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_logchain_src}" + f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_logchain_dst}" f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" else @@ -599,7 +604,12 @@ f_iptables() elif [ "${src_name%_*}" = "whitelist" ] then pos="$(( $("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN")+1))" - f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" "${pos}" + if [ "${ban_whitelistonly}" = "1" ] + then + f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_target_src}" "${pos}" + else + f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" "${pos}" + fi else f_iptrule "${action:-"-A"}" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_target_src}" fi @@ -612,7 +622,12 @@ f_iptables() if [ "${src_name%_*}" = "whitelist" ] then pos="$(( $("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN")+1))" - f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" "${pos}" + if [ "${ban_whitelistonly}" = "1" ] + then + f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_target_dst}" "${pos}" + else + f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" "${pos}" + fi elif [ "${src_name}" != "maclist" ] then f_iptrule "${action:-"-A"}" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_target_dst}" @@ -913,7 +928,7 @@ f_bgsrv() local bg_pid action="${1}" bg_pid="$(pgrep -f "^/bin/sh ${ban_logservice}|${ban_logread_cmd}|^grep -qE Exit before auth|^grep -qE error: maximum|^grep -qE luci: failed|^grep -qE nginx" | awk '{ORS=" "; print $1}')" - if [ "${action}" = "start" ] && [ -x "${ban_logservice}" ] && [ "${ban_monitor_enabled}" = "1" ] + if [ "${action}" = "start" ] && [ -x "${ban_logservice}" ] && [ "${ban_monitor_enabled}" = "1" ] && [ "${ban_whitelistonly}" = "0" ] then if [ -n "${bg_pid}" ] then @@ -1269,7 +1284,7 @@ f_main() fi if [ "${ban_proto4_enabled}" = "1" ] then - if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ] + if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ] && [ "${ban_whitelistonly}" = "0" ] then ( src_rule_4="/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add ${src_name}_4 \"\$1}" @@ -1290,7 +1305,7 @@ f_main() fi if [ "${ban_proto6_enabled}" = "1" ] then - if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ] + if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ] && [ "${ban_whitelistonly}" = "0" ] then ( src_rule_6="/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add ${src_name}_6 \"\$1}" @@ -1314,50 +1329,53 @@ f_main() # loop over all external sources # - for src_name in ${ban_sources} - do - # get source data from JSON file - # - json_select "${src_name}" >/dev/null 2>&1 - if [ "${?}" != "0" ] - then - continue - fi - json_objects="url_4 rule_4 url_6 rule_6 comp" - for object in ${json_objects} + if [ "${ban_whitelistonly}" = "0" ] + then + for src_name in ${ban_sources} do - eval json_get_var src_${object} "\${object}" >/dev/null 2>&1 - done - json_select .. + # get source data from JSON file + # + json_select "${src_name}" >/dev/null 2>&1 + if [ "${?}" != "0" ] + then + continue + fi + json_objects="url_4 rule_4 url_6 rule_6 comp" + for object in ${json_objects} + do + eval json_get_var src_${object} "\${object}" >/dev/null 2>&1 + done + json_select .. - # handle external IPv4 source downloads in a subshell - # - if [ "${ban_proto4_enabled}" = "1" ] && [ -n "${src_url_4}" ] && [ -n "${src_rule_4}" ] - then - ( - f_down "${src_name}" "4" "inet" "${src_url_4}" "${src_rule_4}" "${src_comp}" - )& - fi + # handle external IPv4 source downloads in a subshell + # + if [ "${ban_proto4_enabled}" = "1" ] && [ -n "${src_url_4}" ] && [ -n "${src_rule_4}" ] + then + ( + f_down "${src_name}" "4" "inet" "${src_url_4}" "${src_rule_4}" "${src_comp}" + )& + fi - # handle external IPv6 source downloads in a subshell - # - if [ "${ban_proto6_enabled}" = "1" ] && [ -n "${src_url_6}" ] && [ -n "${src_rule_6}" ] - then - ( - f_down "${src_name}" "6" "inet6" "${src_url_6}" "${src_rule_6}" "${src_comp}" - )& - fi + # handle external IPv6 source downloads in a subshell + # + if [ "${ban_proto6_enabled}" = "1" ] && [ -n "${src_url_6}" ] && [ -n "${src_rule_6}" ] + then + ( + f_down "${src_name}" "6" "inet6" "${src_url_6}" "${src_rule_6}" "${src_comp}" + )& + fi - # control/limit download queues - # - hold=$((cnt%ban_maxqueue)) - if [ "${hold}" = "0" ] - then - wait - fi - cnt=$((cnt+1)) - done - wait + # control/limit download queues + # + hold=$((cnt%ban_maxqueue)) + if [ "${hold}" = "0" ] + then + wait + fi + cnt=$((cnt+1)) + done + wait + fi # error out # @@ -1635,6 +1653,7 @@ f_report() json_select ".." done content="$(cat "${report_txt}" 2>/dev/null)" + rm -f "${report_txt}" fi # report output @@ -1726,7 +1745,7 @@ f_jsnup() done json_close_array json_add_string "run_infos" "settype: ${ban_global_settype}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}" - json_add_string "run_flags" "protocols (4/6): $(f_char ${ban_proto4_enabled})/$(f_char ${ban_proto6_enabled}), log (src/dst): $(f_char ${ban_logsrc_enabled})/$(f_char ${ban_logdst_enabled}), monitor: $(f_char ${ban_monitor_enabled}), mail: $(f_char ${ban_mail_enabled})" + json_add_string "run_flags" "protocols (4/6): $(f_char ${ban_proto4_enabled})/$(f_char ${ban_proto6_enabled}), log (src/dst): $(f_char ${ban_logsrc_enabled})/$(f_char ${ban_logdst_enabled}), monitor: $(f_char ${ban_monitor_enabled}), mail: $(f_char ${ban_mail_enabled}), whitelist only: $(f_char ${ban_whitelistonly})" json_add_string "last_run" "${runtime:-"-"}" json_add_string "system" "${ban_sysver}" json_dump > "${ban_rtfile}" @@ -1783,7 +1802,7 @@ case "${ban_action}" in f_main ;; "suspend") - if [ "${ban_status}" = "enabled" ] + if [ "${ban_status}" = "enabled" ] && [ "${ban_whitelistonly}" = "0" ] then f_bgsrv "stop" f_jsnup "running" @@ -1793,7 +1812,7 @@ case "${ban_action}" in f_rmtmp ;; "resume") - if [ "${ban_status}" = "paused" ] + if [ "${ban_status}" = "paused" ] && [ "${ban_whitelistonly}" = "0" ] then f_env f_main diff --git a/net/fwknop/Makefile b/net/fwknop/Makefile index cfcf8a27f..f594def4c 100644 --- a/net/fwknop/Makefile +++ b/net/fwknop/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=fwknop PKG_VERSION:=2.6.10 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=https://www.cipherdyne.org/fwknop/download diff --git a/net/fwknop/files/fwknopd.init b/net/fwknop/files/fwknopd.init index 4c07d15d8..de3cd38e0 100644 --- a/net/fwknop/files/fwknopd.init +++ b/net/fwknop/files/fwknopd.init @@ -44,17 +44,6 @@ service_triggers() fi } -get_bool() -{ - local _tmp="${1}" - case "${_tmp}" in - 1|on|true|yes|enabled) _tmp=1;; - 0|off|false|no|disabled) _tmp=0;; - *) _tmp="${2}";; - esac - echo -n "${_tmp}" -} - generate_configuration() { [ -f /tmp/access.conf.tmp ] && rm /tmp/access.conf.tmp diff --git a/net/gnunet/Makefile b/net/gnunet/Makefile index 72647b8f3..51fb6e458 100644 --- a/net/gnunet/Makefile +++ b/net/gnunet/Makefile @@ -2,11 +2,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gnunet -PKG_VERSION:=0.13.3 -PKG_RELEASE:=4 +PKG_VERSION:=0.14.1 +PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=@GNU/gnunet -PKG_HASH:=318e06c4134d1a8ce3b4385d82b11316eaaeb9a4dbc5d4b646453dfc53199296 +PKG_HASH:=4a3205c570c30756f1a8b1ad0f1a63d078a92f0fac8e543471d54f4552da18c2 PKG_LICENSE:=AGPL-3.0 PKG_LICENSE_FILES:=COPYING @@ -147,7 +147,7 @@ define Package/gnunet/install core datacache dht dns fragmentation friends hello \ identity natauto natnew nse nt peerinfo peerstore regexblock regex revocation \ scalarproduct set seti setu statistics transport transportapplication \ - transportcommunicator transportcore transportmonitor util; do \ + transportcore transportmonitor util; do \ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libgnunet$$$$lib.so* $(1)/usr/lib/ ; \ done ) @@ -166,7 +166,7 @@ define Package/gnunet/install $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/lib/gnunet/libexec/gnunet-$$$$lex $(1)/usr/lib/gnunet/libexec ; \ done ) - ( for conf in arm ats cadet communicator-unix core datacache dht identity \ + ( for conf in arm ats cadet core datacache dht identity \ nat nat-auto nse peerinfo peerstore regex revocation \ scalarproduct set seti setu statistics topology transport util; do \ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/share/gnunet/config.d/$$$$conf.conf $(1)/usr/share/gnunet/config.d ; \ @@ -272,6 +272,10 @@ LIB_datastore:=datastore LIBEXEC_datastore:=service-datastore CONF_datastore:=datastore +BIN_messenger:=messenger +LIB_messenger:=messenger +LIBEXEC_messenger:=service-messenger +CONF_messenger:=messenger DEPENDS_reclaim:=+gnunet-gns +gnunet-sqlite +libpbc +libgabe +jansson BIN_reclaim:=reclaim @@ -281,7 +285,7 @@ CONF_reclaim:=consensus reclaim secretsharing PLUGIN_reclaim:=block_consensus gnsrecord_reclaim reclaim_credential_jwt reclaim_attribute_basic DEPENDS_rest:=+gnunet-gns +gnunet-reclaim +libmicrohttpd-ssl +jansson -LIB_rest:=rest json +LIB_rest:=rest json gnsrecordjson PLUGIN_rest:=rest_config rest_copying rest_gns rest_identity rest_namestore rest_peerinfo rest_openid_connect rest_reclaim LIBEXEC_rest:=rest-server CONF_rest:=rest @@ -326,7 +330,6 @@ DEPENDS_gns-pgsql:=+gnunet-pgsql +gnunet-gns PLUGIN_gns-pgsql:=namecache_postgres namestore_postgres CONFLICTS_gns-pgsql:=gnunet-gns-sqlite gnunet-gns-flat - DEPENDS_sqlite:=+libsqlite3 LIB_sqlite:=sq @@ -399,7 +402,7 @@ $(eval $(call PostInstFixSUIDPerms,gnunet-transport-wlan)) $(eval $(call PostInstFixSUIDPerms,gnunet-vpn)) $(eval $(call BuildPackage,gnunet)) -$(eval $(call BuildComponent,abd,credential service components,)) +#$(eval $(call BuildComponent,abd,credential service components,)) $(eval $(call BuildComponent,auction,auction components,)) $(eval $(call BuildComponent,conversation,conversation component,)) $(eval $(call BuildComponent,curl,cURL wrapper component,)) @@ -410,6 +413,7 @@ $(eval $(call BuildComponent,fs,file-sharing components,)) $(eval $(call BuildComponent,gns,name resolution components,y)) $(eval $(call BuildComponent,gns-proxy,gns-proxy component,)) $(eval $(call BuildComponent,hostlist,HTTP bootstrap hostlist client and server,y)) +$(eval $(call BuildComponent,messenger,group chat messenger,)) $(eval $(call BuildComponent,reclaim,reclaim identity-provider subsystem,)) $(eval $(call BuildComponent,rest,REST interface,)) $(eval $(call BuildComponent,rps,RPS routing component,y)) diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index 75947fb95..56e7b8161 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd PKG_VERSION:=1.4.59 -PKG_RELEASE:=1 +PKG_RELEASE:=2 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-1.4.59 diff --git a/net/lighttpd/files/lighttpd.conf b/net/lighttpd/files/lighttpd.conf index 3846acf74..079d2a688 100644 --- a/net/lighttpd/files/lighttpd.conf +++ b/net/lighttpd/files/lighttpd.conf @@ -13,8 +13,6 @@ static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" ) ### Features #https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails -server.feature-flags += ("server.h2proto" => "enable") -server.feature-flags += ("server.h2c" => "enable") server.feature-flags += ("server.graceful-shutdown-timeout" => 5) #server.feature-flags += ("server.graceful-restart-bg" => "enable") diff --git a/net/lighttpd/patches/030-101-upgrade-w-content-length.patch b/net/lighttpd/patches/030-101-upgrade-w-content-length.patch new file mode 100644 index 000000000..d4619325a --- /dev/null +++ b/net/lighttpd/patches/030-101-upgrade-w-content-length.patch @@ -0,0 +1,31 @@ +From 1ca25d4e2cfeb83c844ad52b9c94eac218c71379 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstrauss@gluelogic.com> +Date: Thu, 4 Feb 2021 00:22:12 -0500 +Subject: [PATCH] [core] 101 upgrade fails if Content-Length incl (fixes #3063) + +(thx daimh) + +commit 903024d7 in lighttpd 1.4.57 fixed issue #3046 but in the process +broke HTTP/1.1 101 Switching Protocols which included Content-Length: 0 +in the response headers. Content-Length response header is permitted +by the RFCs, but not necessary with HTTP status 101 Switching Protocols. + +x-ref: + "websocket proxy fails if 101 Switching Protocols from backend includes Content-Length" + https://redmine.lighttpd.net/issues/3063 + +Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> +--- + src/http-header-glue.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/src/http-header-glue.c ++++ b/src/http-header-glue.c +@@ -961,6 +961,7 @@ void http_response_upgrade_read_body_unk + (FDEVENT_STREAM_RESPONSE_BUFMIN | FDEVENT_STREAM_RESPONSE); + r->conf.stream_request_body |= FDEVENT_STREAM_REQUEST_POLLIN; + r->reqbody_length = -2; ++ r->resp_body_scratchpad = -1; + r->keep_alive = 0; + } + diff --git a/net/lighttpd/patches/040-mod_auth-close-http2-after-bad-pass.patch b/net/lighttpd/patches/040-mod_auth-close-http2-after-bad-pass.patch new file mode 100644 index 000000000..69c98f70e --- /dev/null +++ b/net/lighttpd/patches/040-mod_auth-close-http2-after-bad-pass.patch @@ -0,0 +1,143 @@ +From 4a600dabd5e2799bf0c3048859ee4f00808b7d89 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstrauss@gluelogic.com> +Date: Sat, 6 Feb 2021 08:29:41 -0500 +Subject: [PATCH] [mod_auth] close HTTP/2 connection after bad pass + +mitigation slows down brute force password attacks + +x-ref: + "Possible feature: authentication brute force hardening" + https://redmine.lighttpd.net/boards/3/topics/8885 + +Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> +--- + src/connections.c | 22 +++++++++++++++++++++- + src/mod_accesslog.c | 2 +- + src/mod_auth.c | 6 +++--- + src/reqpool.c | 1 + + src/request.h | 2 +- + src/response.c | 4 ++-- + 6 files changed, 29 insertions(+), 8 deletions(-) + +--- a/src/connections.c ++++ b/src/connections.c +@@ -228,7 +228,7 @@ static void connection_handle_response_e + } + } + +- if (r->keep_alive) { ++ if (r->keep_alive > 0) { + request_reset(r); + config_reset_config(r); + con->is_readable = 1; /* potentially trigger optimistic read */ +@@ -1265,6 +1265,19 @@ connection_set_fdevent_interest (request + } + + ++__attribute_cold__ ++static void ++connection_request_end_h2 (request_st * const h2r, connection * const con) ++{ ++ if (h2r->keep_alive >= 0) { ++ h2r->keep_alive = -1; ++ h2_send_goaway(con, H2_E_NO_ERROR); ++ } ++ else /*(abort connection upon second request to close h2 connection)*/ ++ h2_send_goaway(con, H2_E_ENHANCE_YOUR_CALM); ++} ++ ++ + static void + connection_state_machine_h2 (request_st * const h2r, connection * const con) + { +@@ -1359,8 +1372,15 @@ connection_state_machine_h2 (request_st + && !chunkqueue_is_empty(con->read_queue)) + resched |= 1; + h2_send_end_stream(r, con); ++ const int alive = r->keep_alive; + h2_retire_stream(r, con);/*r invalidated;removed from h2c->r[]*/ + --i;/* adjust loop i; h2c->rused was modified to retire r */ ++ /*(special-case: allow *stream* to set r->keep_alive = -1 to ++ * trigger goaway on h2 connection, e.g. after mod_auth failure ++ * in attempt to mitigate brute force attacks by forcing a ++ * reconnect and (somewhat) slowing down retries)*/ ++ if (alive < 0) ++ connection_request_end_h2(h2r, con); + } + } + } +--- a/src/mod_accesslog.c ++++ b/src/mod_accesslog.c +@@ -1108,7 +1108,7 @@ static int log_access_record (const requ + break; + case FORMAT_CONNECTION_STATUS: + if (r->state == CON_STATE_RESPONSE_END) { +- if (0 == r->keep_alive) { ++ if (r->keep_alive <= 0) { + buffer_append_string_len(b, CONST_STR_LEN("-")); + } else { + buffer_append_string_len(b, CONST_STR_LEN("+")); +--- a/src/mod_auth.c ++++ b/src/mod_auth.c +@@ -828,7 +828,7 @@ static handler_t mod_auth_check_basic(re + log_error(r->conf.errh, __FILE__, __LINE__, + "password doesn't match for %s username: %s IP: %s", + r->uri.path.ptr, username->ptr, r->con->dst_addr_buf->ptr); +- r->keep_alive = 0; /*(disable keep-alive if bad password)*/ ++ r->keep_alive = -1; /*(disable keep-alive if bad password)*/ + rc = HANDLER_UNSET; + break; + } +@@ -1461,7 +1461,7 @@ static handler_t mod_auth_check_digest(r + return HANDLER_FINISHED; + case HANDLER_ERROR: + default: +- r->keep_alive = 0; /*(disable keep-alive if unknown user)*/ ++ r->keep_alive = -1; /*(disable keep-alive if unknown user)*/ + buffer_free(b); + return mod_auth_send_401_unauthorized_digest(r, require, 0); + } +@@ -1482,7 +1482,7 @@ static handler_t mod_auth_check_digest(r + log_error(r->conf.errh, __FILE__, __LINE__, + "digest: auth failed for %s: wrong password, IP: %s", + username, r->con->dst_addr_buf->ptr); +- r->keep_alive = 0; /*(disable keep-alive if bad password)*/ ++ r->keep_alive = -1; /*(disable keep-alive if bad password)*/ + + buffer_free(b); + return mod_auth_send_401_unauthorized_digest(r, require, 0); +--- a/src/reqpool.c ++++ b/src/reqpool.c +@@ -58,6 +58,7 @@ request_reset (request_st * const r) + http_response_reset(r); + + r->loops_per_request = 0; ++ r->keep_alive = 0; + + r->h2state = 0; /* H2_STATE_IDLE */ + r->h2id = 0; +--- a/src/request.h ++++ b/src/request.h +@@ -175,7 +175,7 @@ struct request_st { + char resp_header_repeated; + + char loops_per_request; /* catch endless loops in a single request */ +- char keep_alive; /* only request.c can enable it, all other just disable */ ++ int8_t keep_alive; /* only request.c can enable it, all other just disable */ + char async_callback; + + buffer *tmp_buf; /* shared; same as srv->tmp_buf */ +--- a/src/response.c ++++ b/src/response.c +@@ -103,9 +103,9 @@ http_response_write_header (request_st * + if (light_btst(r->resp_htags, HTTP_HEADER_UPGRADE) + && r->http_version == HTTP_VERSION_1_1) { + http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("upgrade")); +- } else if (0 == r->keep_alive) { ++ } else if (r->keep_alive <= 0) { + http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("close")); +- } else if (r->http_version == HTTP_VERSION_1_0) {/*(&& r->keep_alive != 0)*/ ++ } else if (r->http_version == HTTP_VERSION_1_0) {/*(&& r->keep_alive > 0)*/ + http_header_response_set(r, HTTP_HEADER_CONNECTION, CONST_STR_LEN("Connection"), CONST_STR_LEN("keep-alive")); + } + diff --git a/net/lighttpd/patches/050-openssl-skip-chain-build-self-issued.patch b/net/lighttpd/patches/050-openssl-skip-chain-build-self-issued.patch new file mode 100644 index 000000000..9577858c9 --- /dev/null +++ b/net/lighttpd/patches/050-openssl-skip-chain-build-self-issued.patch @@ -0,0 +1,45 @@ +From aa81834bc3ff47aa5cc66b6763678d3cf47a3d54 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstrauss@gluelogic.com> +Date: Fri, 12 Mar 2021 20:03:38 -0500 +Subject: [PATCH] [mod_openssl] skip cert chain build if self-issued + +If cert is self-issued, then do not attempt to build certificate chain. + +(Attempting to build certificate chain when chain is not provided, but + ssl.ca-file is specified, is provided as backward compatible behavior + from lighttpd versions prior to lighttpd 1.4.56) + +Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> +--- + src/mod_openssl.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/src/mod_openssl.c ++++ b/src/mod_openssl.c +@@ -103,6 +103,7 @@ typedef struct { + time_t ssl_stapling_loadts; + time_t ssl_stapling_nextts; + char must_staple; ++ char self_issued; + } plugin_cert; + + typedef struct { +@@ -1081,7 +1082,7 @@ mod_openssl_cert_cb (SSL *ssl, void *arg + #if !defined(BORINGSSL_API_VERSION) \ + && !defined(LIBRESSL_VERSION_NUMBER) + /* (missing SSL_set1_chain_cert_store() and SSL_build_cert_chain()) */ +- else if (hctx->conf.ssl_ca_file) { ++ else if (hctx->conf.ssl_ca_file && !pc->self_issued) { + /* preserve legacy behavior whereby openssl will reuse CAs trusted for + * certificate verification (set by SSL_CTX_load_verify_locations() in + * SSL_CTX) in order to build certificate chain for server certificate +@@ -1671,6 +1672,9 @@ network_openssl_load_pemfile (server *sr + #else + pc->must_staple = 0; + #endif ++ pc->self_issued = ++ (0 == X509_NAME_cmp(X509_get_subject_name(ssl_pemfile_x509), ++ X509_get_issuer_name(ssl_pemfile_x509))); + + if (!buffer_string_is_empty(pc->ssl_stapling_file)) { + #ifndef OPENSSL_NO_OCSP diff --git a/net/lighttpd/patches/060-meson-zstd.patch b/net/lighttpd/patches/060-meson-zstd.patch new file mode 100644 index 000000000..138b44351 --- /dev/null +++ b/net/lighttpd/patches/060-meson-zstd.patch @@ -0,0 +1,27 @@ +From c41ebea4bb220c8fe252f472eec836c691734690 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstrauss@gluelogic.com> +Date: Fri, 2 Apr 2021 01:01:02 -0400 +Subject: [PATCH] [build] fix zstd option in meson (fixes #3076) + +(thx KimonHoffmann) + +x-ref: + "Fix zstd dependency handling in meson build" + https://redmine.lighttpd.net/issues/3076 + +Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> +--- + src/meson.build | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/meson.build ++++ b/src/meson.build +@@ -685,7 +685,7 @@ endif + + libzstd = [] + if get_option('with_zstd') +- libz = dependency('zstd', required: false) ++ libzstd = dependency('zstd', required: false) + if libzstd.found() + libzstd = [ libzstd ] + else diff --git a/net/lighttpd/patches/070-ls-hpack-update.patch b/net/lighttpd/patches/070-ls-hpack-update.patch new file mode 100644 index 000000000..1267fa996 --- /dev/null +++ b/net/lighttpd/patches/070-ls-hpack-update.patch @@ -0,0 +1,56 @@ +From 3392e8fb11de35778cad1fb112e6eb5916aa7de0 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstrauss@gluelogic.com> +Date: Tue, 20 Apr 2021 22:04:56 -0400 +Subject: [PATCH] [core] update ls-hpack + +LiteSpeed ls-hpack v2.3.0 + +Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> +--- + src/ls-hpack/README.md | 2 +- + src/ls-hpack/lshpack.c | 4 +++- + src/ls-hpack/lshpack.h | 6 +++--- + 3 files changed, 7 insertions(+), 5 deletions(-) + +--- a/src/ls-hpack/lshpack.c ++++ b/src/ls-hpack/lshpack.c +@@ -1,7 +1,7 @@ + /* + MIT License + +-Copyright (c) 2018 LiteSpeed Technologies Inc ++Copyright (c) 2018 - 2021 LiteSpeed Technologies Inc + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal +@@ -1549,6 +1549,8 @@ lshpack_dec_push_entry (struct lshpack_d + #endif + memcpy(DTE_NAME(entry), lsxpack_header_get_name(xhdr), name_len); + memcpy(DTE_VALUE(entry), lsxpack_header_get_value(xhdr), val_len); ++ ++ hdec_remove_overflow_entries(dec); + return 0; + } + +--- a/src/ls-hpack/lshpack.h ++++ b/src/ls-hpack/lshpack.h +@@ -1,7 +1,7 @@ + /* + MIT License + +-Copyright (c) 2018 - 2020 LiteSpeed Technologies Inc ++Copyright (c) 2018 - 2021 LiteSpeed Technologies Inc + + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to deal +@@ -34,8 +34,8 @@ extern "C" { + #include "lsxpack_header.h" + + #define LSHPACK_MAJOR_VERSION 2 +-#define LSHPACK_MINOR_VERSION 2 +-#define LSHPACK_PATCH_VERSION 1 ++#define LSHPACK_MINOR_VERSION 3 ++#define LSHPACK_PATCH_VERSION 0 + + #define lshpack_strlen_t lsxpack_strlen_t + #define LSHPACK_MAX_STRLEN LSXPACK_MAX_STRLEN diff --git a/net/lighttpd/patches/080-http2-data-after-response.patch b/net/lighttpd/patches/080-http2-data-after-response.patch new file mode 100644 index 000000000..397aa27a4 --- /dev/null +++ b/net/lighttpd/patches/080-http2-data-after-response.patch @@ -0,0 +1,145 @@ +From 81d18a8e359685c169cfd30e6a1574b98aedbaeb Mon Sep 17 00:00:00 2001 +From: Glenn Strauss <gstrauss@gluelogic.com> +Date: Thu, 22 Apr 2021 01:11:47 -0400 +Subject: [PATCH] [core] discard some HTTP/2 DATA after response (fixes #3078) + +(thx oldium) + +improve handling of HTTP/2 DATA frames received +a short time after sending response + +x-ref: + "POST request DATA part for non-existing URI closes HTTP/2 connection prematurely" + https://redmine.lighttpd.net/issues/3078 + +Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com> +--- + src/h2.c | 64 ++++++++++++++++++++++++++++++++++++++++++-------------- + src/h2.h | 1 + + 2 files changed, 49 insertions(+), 16 deletions(-) + +--- a/src/h2.c ++++ b/src/h2.c +@@ -272,10 +272,23 @@ h2_send_rst_stream_id (uint32_t h2id, co + + __attribute_cold__ + static void +-h2_send_rst_stream (request_st * const r, connection * const con, const request_h2error_t e) ++h2_send_rst_stream_state (request_st * const r, h2con * const h2c) + { ++ if (r->h2state != H2_STATE_HALF_CLOSED_REMOTE ++ && r->h2state != H2_STATE_CLOSED) { ++ /* set timestamp for comparison; not tracking individual stream ids */ ++ h2c->half_closed_ts = log_epoch_secs; ++ } + r->state = CON_STATE_ERROR; + r->h2state = H2_STATE_CLOSED; ++} ++ ++ ++__attribute_cold__ ++static void ++h2_send_rst_stream (request_st * const r, connection * const con, const request_h2error_t e) ++{ ++ h2_send_rst_stream_state(r, con->h2);/*(sets r->h2state = H2_STATE_CLOSED)*/ + h2_send_rst_stream_id(r->h2id, con, e); + } + +@@ -289,13 +302,10 @@ h2_send_goaway_rst_stream (connection * + for (uint32_t i = 0, rused = h2c->rused; i < rused; ++i) { + request_st * const r = h2c->r[i]; + if (r->h2state == H2_STATE_CLOSED) continue; ++ h2_send_rst_stream_state(r, h2c);/*(sets r->h2state = H2_STATE_CLOSED)*/ + /*(XXX: might consider always sending RST_STREAM)*/ +- if (!sent_goaway) { +- r->state = CON_STATE_ERROR; +- r->h2state = H2_STATE_CLOSED; +- } +- else /*(also sets r->h2state = H2_STATE_CLOSED)*/ +- h2_send_rst_stream(r, con, H2_E_PROTOCOL_ERROR); ++ if (sent_goaway) ++ h2_send_rst_stream_id(r->h2id, con, H2_E_PROTOCOL_ERROR); + } + } + +@@ -780,14 +790,27 @@ h2_recv_data (connection * const con, co + } + chunkqueue * const cq = con->read_queue; + if (NULL == r) { +- /* XXX: TODO: might need to keep a list of recently retired streams +- * for a few seconds so that if we send RST_STREAM, then we ignore +- * further DATA and do not send connection error, though recv windows +- * still must be updated. */ +- if (h2c->h2_cid < id || (!h2c->sent_goaway && 0 != alen)) +- h2_send_goaway_e(con, H2_E_PROTOCOL_ERROR); ++ /* simplistic heuristic to discard additional DATA from recently-closed ++ * streams (or half-closed (local)), where recently-closed here is ++ * within 2-3 seconds of any (other) stream being half-closed (local) ++ * or reset before that (other) stream received END_STREAM from peer. ++ * (e.g. clients might fire off POST request followed by DATA, ++ * and a response might be sent before processing DATA frames) ++ * (id <= h2c->h2_cid) already checked above, else H2_E_PROTOCOL_ERROR ++ * If the above conditions do not hold, then send GOAWAY to attempt to ++ * reduce the chance of becoming an infinite data sink for misbehaving ++ * clients, though remaining streams are still handled before the ++ * connection is closed. */ + chunkqueue_mark_written(cq, 9+len); +- return 0; ++ if (h2c->half_closed_ts + 2 >= log_epoch_secs) { ++ h2_send_window_update(con, 0, len); /*(h2r->h2_rwin)*/ ++ return 1; ++ } ++ else { ++ if (!h2c->sent_goaway && 0 != alen) ++ h2_send_goaway_e(con, H2_E_NO_ERROR); ++ return 0; ++ } + } + + if (r->h2state == H2_STATE_CLOSED +@@ -808,7 +831,7 @@ h2_recv_data (connection * const con, co + } + } + /*(allow h2r->h2_rwin to dip below 0 so that entire frame is processed)*/ +- /*(undeflow will not occur (with reasonable SETTINGS_MAX_FRAME_SIZE used) ++ /*(underflow will not occur (with reasonable SETTINGS_MAX_FRAME_SIZE used) + * since windows updated elsewhere and data is streamed to temp files if + * not FDEVENT_STREAM_REQUEST_BUFMIN)*/ + /*r->h2_rwin -= (int32_t)len;*/ +@@ -2347,16 +2370,25 @@ h2_send_end_stream_data (request_st * co + } }; + + dataframe.u[2] = htonl(r->h2id); +- r->h2state = H2_STATE_CLOSED; + /*(ignore window updates when sending 0-length DATA frame with END_STREAM)*/ + chunkqueue_append_mem(con->write_queue, /*(+3 to skip over align pad)*/ + (const char *)dataframe.c+3, sizeof(dataframe)-3); ++ ++ if (r->h2state != H2_STATE_HALF_CLOSED_REMOTE) { ++ /* set timestamp for comparison; not tracking individual stream ids */ ++ h2con * const h2c = con->h2; ++ h2c->half_closed_ts = log_epoch_secs; ++ /* indicate to peer that no more DATA should be sent from peer */ ++ h2_send_rst_stream_id(r->h2id, con, H2_E_NO_ERROR); ++ } ++ r->h2state = H2_STATE_CLOSED; + } + + + void + h2_send_end_stream (request_st * const r, connection * const con) + { ++ if (r->h2state == H2_STATE_CLOSED) return; + if (r->state != CON_STATE_ERROR && r->resp_body_finished) { + /* CON_STATE_RESPONSE_END */ + if (r->gw_dechunk && r->gw_dechunk->done +--- a/src/h2.h ++++ b/src/h2.h +@@ -92,6 +92,7 @@ struct h2con { + uint32_t s_max_header_list_size; /* SETTINGS_MAX_HEADER_LIST_SIZE */ + struct lshpack_dec decoder; + struct lshpack_enc encoder; ++ time_t half_closed_ts; + }; + + void h2_send_goaway (connection *con, request_h2error_t e); diff --git a/net/nextdns/Makefile b/net/nextdns/Makefile index 4a2c22d6a..08ca986e9 100644 --- a/net/nextdns/Makefile +++ b/net/nextdns/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nextdns -PKG_VERSION:=1.11.0 +PKG_VERSION:=1.32.0 PKG_RELEASE:=1 PKG_SOURCE_PROTO:=git PKG_SOURCE_VERSION:=v$(PKG_VERSION) PKG_SOURCE_URL:=https://github.com/nextdns/nextdns.git -PKG_MIRROR_HASH:=3653c320504d20032dd844bd20a7629a3e6eba589bac552218ddfe826f3ce481 +PKG_MIRROR_HASH:=b48a8be602025d3cbcd087717065e1fd2b37040fab6e769c40e658a647b3657b PKG_MAINTAINER:=Olivier Poitrey <rs@nextdns.io> PKG_LICENSE:=MIT diff --git a/net/openssh/Makefile b/net/openssh/Makefile index 94ab2c311..d6c649a38 100644 --- a/net/openssh/Makefile +++ b/net/openssh/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openssh -PKG_VERSION:=8.5p1 +PKG_VERSION:=8.6p1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ \ https://ftp.spline.de/pub/OpenBSD/OpenSSH/portable/ -PKG_HASH:=f52f3f41d429aa9918e38cf200af225ccdd8e66f052da572870c89737646ec25 +PKG_HASH:=c3e6e4da1621762c850d03b47eed1e48dff4cc9608ddeb547202a234df8ed7ae PKG_LICENSE:=BSD ISC PKG_LICENSE_FILES:=LICENCE diff --git a/net/openvpn/Makefile b/net/openvpn/Makefile index 3b3adce42..d46b7bb73 100644 --- a/net/openvpn/Makefile +++ b/net/openvpn/Makefile @@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=openvpn -PKG_VERSION:=2.5.1 -PKG_RELEASE:=3 +PKG_VERSION:=2.5.2 +PKG_RELEASE:=1 PKG_SOURCE_URL:=\ https://build.openvpn.net/downloads/releases/ \ https://swupdate.openvpn.net/community/releases/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_HASH:=40930489c837c05f6153f38e1ebaec244431ef1a034e4846ff732d71d59ff194 +PKG_HASH:=b12743836901f365efaf82ab2493967e1b21c21eb43ce9a8da1002a17c9c1dc8 PKG_MAINTAINER:=Magnus Kroken <mkroken@gmail.com> diff --git a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch index 4141c2863..c54277006 100644 --- a/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch +++ b/net/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch @@ -1,6 +1,6 @@ --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c -@@ -1520,7 +1520,7 @@ const char * +@@ -1535,7 +1535,7 @@ const char * get_ssl_library_version(void) { static char mbedtls_version[30]; diff --git a/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch b/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch new file mode 100644 index 000000000..532d64f60 --- /dev/null +++ b/net/openvpn/patches/115-fix-mbedtls-without-renegotiation.patch @@ -0,0 +1,42 @@ +From e4bd17c86e01aaf6f809d9ea355419c86c4defdc Mon Sep 17 00:00:00 2001 +From: Max Fillinger <maximilian.fillinger@foxcrypto.com> +Date: Mon, 12 Apr 2021 19:46:17 +0200 +Subject: [PATCH] Fix build with mbedtls w/o SSL renegotiation support + +In mbedtls, support for SSL renegotiation can be disabled at +compile-time. However, OpenVPN cannot be built with such a library +because it calls mbedtls_ssl_conf_renegotiation() to disable this +feature at runtime. This function doesn't exist when mbedtls was built +without support for SSL renegotiation. + +This commit fixes the build by ifdef'ing out the function call when +mbedtls was built without support for SSL renegotiation. + +Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> +Acked-by: Antonio Quartulli <antonio@openvpn.net> +Message-Id: <E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com> +URL: https://www.mail-archive.com/search?l=mid&q=E1lW0eX-00012w-9n@sfs-ml-1.v29.lw.sourceforge.com +Signed-off-by: Gert Doering <gert@greenie.muc.de> +--- + src/openvpn/ssl_mbedtls.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/src/openvpn/ssl_mbedtls.c ++++ b/src/openvpn/ssl_mbedtls.c +@@ -1098,10 +1098,13 @@ key_state_ssl_init(struct key_state_ssl + { + mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups); + } +- /* Disable TLS renegotiations. OpenVPN's renegotiation creates new SSL +- * session and does not depend on this feature. And TLS renegotiations have +- * been problematic in the past */ ++ ++ /* Disable TLS renegotiations if the mbedtls library supports that feature. ++ * OpenVPN's renegotiation creates new SSL sessions and does not depend on ++ * this feature and TLS renegotiations have been problematic in the past. */ ++#if defined(MBEDTLS_SSL_RENEGOTIATION) + mbedtls_ssl_conf_renegotiation(ks_ssl->ssl_config, MBEDTLS_SSL_RENEGOTIATION_DISABLED); ++#endif /* MBEDTLS_SSL_RENEGOTIATION */ + + /* Disable record splitting (for now). OpenVPN assumes records are sent + * unfragmented, and changing that will require thorough review and diff --git a/net/openvpn/test.sh b/net/openvpn/test.sh new file mode 100755 index 000000000..b51ccd6a1 --- /dev/null +++ b/net/openvpn/test.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +case "$1" in + "openvpn-mbedtls") + openvpn --version | grep "$2.*SSL (mbed TLS)" + ;; + "openvpn-openssl") + openvpn --version | grep "$2.*SSL (OpenSSL)" + ;; +esac diff --git a/net/stunnel/Makefile b/net/stunnel/Makefile index 987b5c76c..7c21f5ae4 100644 --- a/net/stunnel/Makefile +++ b/net/stunnel/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=stunnel -PKG_VERSION:=5.58 +PKG_VERSION:=5.59 PKG_RELEASE:=1 PKG_LICENSE:=GPL-2.0-or-later @@ -23,7 +23,7 @@ PKG_SOURCE_URL:= \ https://www.usenix.org.uk/mirrors/stunnel/archive/$(word 1, $(subst .,$(space),$(PKG_VERSION))).x/ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_HASH:=d4c14cc096577edca3f6a2a59c2f51869e35350b3988018ddf808c88e5973b79 +PKG_HASH:=137776df6be8f1701f1cd590b7779932e123479fb91e5192171c16798815ce9f PKG_FIXUP:=autoreconf PKG_FIXUP:=patch-libtool diff --git a/net/udp-broadcast-relay-redux-openwrt/Makefile b/net/udp-broadcast-relay-redux-openwrt/Makefile new file mode 100644 index 000000000..f3854fb80 --- /dev/null +++ b/net/udp-broadcast-relay-redux-openwrt/Makefile @@ -0,0 +1,49 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=udp-broadcast-relay-redux +PKG_RELEASE:=$(AUTORELEASE) +PKG_LICENSE:=GPL-2.0 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/udp-redux/udp-broadcast-relay-redux +PKG_SOURCE_DATE:=2021-04-05 +PKG_SOURCE_VERSION:=671372938b55a186625a80516f86e8b9948c977a +PKG_MIRROR_HASH:=11cf8728f2b8e966f4f57032d817a889f680ed8e61afff35b52ca9c6789a03c6 + +include $(INCLUDE_DIR)/package.mk + +define Package/udp-broadcast-relay-redux + SECTION:=net + CATEGORY:=Network + SUBMENU:=Routing and Redirection + TITLE:=listens for packets on a specified UDP broadcast port and replays them + URL:=https://github.com/udp-redux/udp-broadcast-relay-redux +endef + +define Package/udp-broadcast-relay-redux/description + This program listens for packets on a specified UDP broadcast port. + When a packet is received, it sends that packet to all specified interfaces but + the one it came from as though it originated from the original sender. + The primary purpose of this is to allow games on machines on separated + local networks (Ethernet, WLAN) that use udp broadcasts to find each other to do so. + It also works on ppp links, so you can log in from windows boxes (e.g. using pptp) + and play LAN-based games together. Currently, you have to care about upcoming or + downgoing interfaces yourself. +endef + +define Package/udp-broadcast-relay-redux/conffiles +/etc/config/udp_broadcast_relay_redux +endef + +define Build/Compile + $(TARGET_CC) $(TARGET_CFLAGS) $(PKG_BUILD_DIR)/main.c -o $(PKG_BUILD_DIR)/$(PKG_NAME) +endef + +define Package/udp-broadcast-relay-redux/install + $(INSTALL_DIR) $(1)/usr/sbin $(1)/etc/config $(1)/etc/init.d + $(CP) $(PKG_BUILD_DIR)/$(PKG_NAME) $(1)/usr/sbin/ + $(INSTALL_CONF) ./files/udp_broadcast_relay_redux.config $(1)/etc/config/udp_broadcast_relay_redux + $(INSTALL_BIN) ./files/udp-broadcast-relay-redux.init $(1)/etc/init.d/udp-broadcast-relay-redux +endef + +$(eval $(call BuildPackage,udp-broadcast-relay-redux)) diff --git a/net/udp-broadcast-relay-redux-openwrt/files/udp-broadcast-relay-redux.init b/net/udp-broadcast-relay-redux-openwrt/files/udp-broadcast-relay-redux.init new file mode 100644 index 000000000..aa35f5546 --- /dev/null +++ b/net/udp-broadcast-relay-redux-openwrt/files/udp-broadcast-relay-redux.init @@ -0,0 +1,76 @@ +#!/bin/sh /etc/rc.common + +START=90 +STOP=10 + +USE_PROCD=1 +PROG=/usr/sbin/udp-broadcast-relay-redux +NAME=udp-broadcast-relay-redux +PIDCOUNT=0 + +validate_section_udp_broadcast_relay_redux() +{ + uci_validate_section udp_broadcast_relay_redux udp_broadcast_relay_redux "${1}" \ + 'id:uinteger' \ + 'port:port' \ + 'network:list(string)' \ + 'src_override:ip4addr' \ + 'dest_override:ip4addr' + + [ -z "$id" ] && return 1 + + [ -z "$network" ] && return 1 + + [ -z "$port" ] && return 1 + + return 0 +} + +udp_broadcast_relay_redux_instance() { + local net network ifname id port src_override dest_override + + validate_section_udp_broadcast_relay_redux "${1}" || { + echo "Validation failed" + return 1 + } + + PIDCOUNT="$((PIDCOUNT + 1))" + + procd_open_instance + procd_set_param command "$PROG" "--id" "${id}" "--port" "${port}" + + for net in $network; do + network_get_device ifname "$net" + if [ -z "$ifname" ]; then + network_get_physdev ifname "$net" + fi + if [ -n "$ifname" ]; then + procd_append_param command "--dev" "$ifname" + procd_append_param netdev "$ifname" + fi + done + + if [ -n "$src_override" ] ; then + procd_append_param command "-s" "$src_override" + fi + + if [ -n "$dest_override" ] ; then + procd_append_param command "-t" "$dest_override" + fi + + procd_add_jail ubr-${PIDCOUNT} + procd_close_instance +} + +start_service() { + . /lib/functions.sh + . /lib/functions/network.sh + + config_load udp_broadcast_relay_redux + config_foreach udp_broadcast_relay_redux_instance udp_broadcast_relay_redux +} + +service_triggers() { + procd_add_reload_trigger "udp_broadcast_relay_redux" + procd_add_validation validate_section_udp_broadcast_relay_redux +} diff --git a/net/udp-broadcast-relay-redux-openwrt/files/udp_broadcast_relay_redux.config b/net/udp-broadcast-relay-redux-openwrt/files/udp_broadcast_relay_redux.config new file mode 100644 index 000000000..f7164bd68 --- /dev/null +++ b/net/udp-broadcast-relay-redux-openwrt/files/udp_broadcast_relay_redux.config @@ -0,0 +1,6 @@ +#config udp_broadcast_relay_redux +# option id 1 +# option port 47624 +# list network lan +# list network vpnsrv +# option dest_override 10.66.2.13 diff --git a/utils/cni-plugins-nft/Makefile b/utils/cni-plugins-nft/Makefile new file mode 100644 index 000000000..f00b0e160 --- /dev/null +++ b/utils/cni-plugins-nft/Makefile @@ -0,0 +1,50 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=cni-plugins-nft +PKG_VERSION:=1.0.5 +PKG_RELEASE:=$(AUTORELEASE) + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=https://github.com/greenpau/cni-plugins/archive/v$(PKG_VERSION) +PKG_HASH:=c8cbdfe43c144cf0df834555698312e8fd3daf6f2c5ac35e7959b90b91b154ad + +PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com> +PKG_LICENSE:=Apache-2.0 +PKG_LICENSE_FILES:=LICENSE + +PKG_BUILD_DEPENDS:=golang/host +PKG_BUILD_PARALLEL:=1 +PKG_USE_MIPS16:=0 + +GO_PKG:=github.com/greenpau/cni-plugins/ +GO_PKG_BUILD_PKG:=github.com/greenpau/cni-plugins/cmd/cni-nftables-portmap \ + github.com/greenpau/cni-plugins/cmd/cni-nftables-firewall + +include $(INCLUDE_DIR)/package.mk +include ../../lang/golang/golang-package.mk + +PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)" + +define Package/cni-plugins-nft + SECTION:=utils + CATEGORY:=Utilities + TITLE:=CNI Plugins compatible with nftables + URL:=https://github.com/greenpau/cni-plugins/ + DEPENDS:=$(GO_ARCH_DEPENDS) +nftables +endef + +define Package/cni-plugins-nft/description + CNI Plugins maintained by the CNI team do not support nftables, except when used with systemd. + These plugins do. + - cni-nftables-portmap + - cni-nftables-firewall +endef + +define Package/cni-plugins-nft/install + $(call GoPackage/Package/Install/Bin,$(PKG_INSTALL_DIR)) + $(INSTALL_DIR) $(1)/usr/lib/cni + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/lib/cni +endef + +$(eval $(call GoBinPackage,cni-plugins-nft)) +$(eval $(call BuildPackage,cni-plugins-nft)) diff --git a/utils/containerd/Makefile b/utils/containerd/Makefile index 3ab649994..60f5f09e7 100644 --- a/utils/containerd/Makefile +++ b/utils/containerd/Makefile @@ -1,15 +1,15 @@ include $(TOPDIR)/rules.mk PKG_NAME:=containerd -PKG_VERSION:=1.4.3 -PKG_RELEASE:=4 +PKG_VERSION:=1.4.4 +PKG_RELEASE:=1 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/containerd/containerd/tar.gz/v${PKG_VERSION}? -PKG_HASH:=bc6d9452c700af0ebc09c0da8ddba55be4c03ac8928e72ca92d98905800c8018 -PKG_SOURCE_VERSION:=269548fa27e0089a8b8278fc4fc781d7f65a939b +PKG_HASH:=ac62c64664bf62fd44df0891c896eecdb6d93def3438271d7892dca75bc069d1 +PKG_SOURCE_VERSION:=05f951a3781f4f2c1911b05e61c160e9c30eaa8e PKG_MAINTAINER:=Gerard Ryan <G.M0N3Y.2503@gmail.com> diff --git a/utils/docker/Makefile b/utils/docker/Makefile index cad6bc775..1bf432675 100644 --- a/utils/docker/Makefile +++ b/utils/docker/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=docker -PKG_VERSION:=20.10.5 +PKG_VERSION:=20.10.6 PKG_RELEASE:=1 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE @@ -10,8 +10,8 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_GIT_URL:=github.com/docker/cli PKG_GIT_REF:=v$(PKG_VERSION) PKG_SOURCE_URL:=https://codeload.$(PKG_GIT_URL)/tar.gz/$(PKG_GIT_REF)? -PKG_HASH:=4ba845f8c7e2e0a2ca1ec6589847159ca8d0d37b609f0e6f78def7a893b9b342 -PKG_GIT_SHORT_COMMIT:=55c4c88 # SHA1 used within the docker executables +PKG_HASH:=eda53b96ab83a59502df2e5e00ab7ee867243259407ef454be55e695303c1113 +PKG_GIT_SHORT_COMMIT:=370c289 # SHA1 used within the docker executables PKG_MAINTAINER:=Gerard Ryan <G.M0N3Y.2503@gmail.com> diff --git a/utils/dockerd/Makefile b/utils/dockerd/Makefile index cf0d51b6b..4b1488328 100644 --- a/utils/dockerd/Makefile +++ b/utils/dockerd/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dockerd -PKG_VERSION:=20.10.5 +PKG_VERSION:=20.10.6 PKG_RELEASE:=1 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE @@ -10,8 +10,8 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_GIT_URL:=github.com/moby/moby PKG_GIT_REF:=v$(PKG_VERSION) PKG_SOURCE_URL:=https://codeload.$(PKG_GIT_URL)/tar.gz/$(PKG_GIT_REF)? -PKG_HASH:=bcf651d75e5c80421e8cd3b0d47f3425e01047cf67aef0eda83b68776905a583 -PKG_GIT_SHORT_COMMIT:=363e9a8 # SHA1 used within the docker executables +PKG_HASH:=fd7f5571b1f64f26b5ca520a3e1fefb33c190f3732b931051c23a76bdba5000e +PKG_GIT_SHORT_COMMIT:=8728dd2 # SHA1 used within the docker executables PKG_MAINTAINER:=Gerard Ryan <G.M0N3Y.2503@gmail.com> diff --git a/utils/gummiboot/Makefile b/utils/gummiboot/Makefile new file mode 100644 index 000000000..01db86610 --- /dev/null +++ b/utils/gummiboot/Makefile @@ -0,0 +1,66 @@ +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=gummiboot +PKG_VERSION:=45 +PKG_RELEASE:=$(AUTORELEASE) + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=https://github.com/rzr/gummiboot.git +PKG_SOURCE_DATE:=2021-04-11 +PKG_SOURCE_VERSION:=eb3daf2ca4cb1657cf1f780957485d690a552bf6 +PKG_MIRROR_HASH:=4c57791693b57bbe36e85b49d70310728b8008c4c545006a71c5a5f71b8df501 + +PKG_LICENSE:=LGPL-2.1-or-later +PKG_LICENSE_FILES:=LICENSE +PKG_BUILD_DEPENDS:=gnu-efi +PKG_BUILD_PARALLEL:=1 +PKG_FIXUP:=autoreconf +PKG_INSTALL:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/gummiboot + SECTION:=boot + CATEGORY:=Boot Loaders + TITLE:=Simple UEFI boot manager + DEPENDS:=@TARGET_X86_64 +libblkid + URL:=https://github.com/rzr/gummiboot +endef + +define Package/gummiboot/description + gummiboot Simple UEFI boot manager + + gummiboot executes EFI images. The default entry is selected by a configured + pattern (glob) or an on-screen menu. +endef + +CONFIGURE_ARGS += \ + --with-efi-libdir=$(STAGING_DIR)/usr/lib \ + --with-efi-ldsdir=$(STAGING_DIR)/usr/lib \ + --with-efi-includedir=$(STAGING_DIR)/usr/include + +define Build/Compile + +$(MAKE_VARS) EFI_CFLAGS="-I$(TOOLCHAIN_DIR)/include $(TARGET_CFLAGS)" \ + $(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR)/$(MAKE_PATH) \ + $(MAKE_FLAGS) \ + $(1); +endef + +define Build/Install + $(MAKE_VARS) EFI_CFLAGS="-I$(TOOLCHAIN_DIR)/include $(TARGET_CFLAGS)" \ + $(MAKE) -C $(PKG_BUILD_DIR)/$(MAKE_PATH) \ + $(MAKE_INSTALL_FLAGS) install +endef + +define Package/gummiboot/install + $(INSTALL_DIR) $(1)/usr/sbin $(1)/usr/lib/gummiboot + $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/gummiboot/gummibootx64.efi $(1)/usr/lib/gummiboot/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/gummiboot $(1)/usr/sbin/ +endef + +$(eval $(call BuildPackage,gummiboot)) diff --git a/utils/gummiboot/patches/010-fix-missing-includes.patch b/utils/gummiboot/patches/010-fix-missing-includes.patch new file mode 100644 index 000000000..60365997d --- /dev/null +++ b/utils/gummiboot/patches/010-fix-missing-includes.patch @@ -0,0 +1,10 @@ +--- a/src/setup/setup.c ++++ b/src/setup/setup.c +@@ -37,6 +37,7 @@ + #include <ftw.h> + #include <stdbool.h> + #include <blkid.h> ++#include <sys/sysmacros.h> + + #include "efivars.h" + diff --git a/utils/gummiboot/patches/020-fix-dev-mapping.patch b/utils/gummiboot/patches/020-fix-dev-mapping.patch new file mode 100644 index 000000000..0446aa2d0 --- /dev/null +++ b/utils/gummiboot/patches/020-fix-dev-mapping.patch @@ -0,0 +1,54 @@ +--- a/src/setup/setup.c ++++ b/src/setup/setup.c +@@ -83,6 +83,9 @@ static int verify_esp(const char *p, uin + blkid_probe b = NULL; + int r; + const char *v; ++ char buf[1024]; ++ ++ memset(buf, 0, sizeof(buf)); + + if (statfs(p, &sfs) < 0) { + fprintf(stderr, "Failed to check file system type of %s: %m\n", p); +@@ -122,24 +125,38 @@ static int verify_esp(const char *p, uin + return -ENODEV; + } + +- r = asprintf(&t, "/dev/block/%u:%u", major(st.st_dev), minor(st.st_dev)); ++ r = asprintf(&t, "/sys/dev/block/%u:%u", major(st.st_dev), minor(st.st_dev)); + if (r < 0) { + fprintf(stderr, "Out of memory.\n"); + return -ENOMEM; + } + ++ r = readlink(t, buf, sizeof(buf) - 1); ++ if (r < 0) { ++ fprintf(stderr, "Failed to identify device node for block device %u:%u\n", major(st.st_dev), minor(st.st_dev)); ++ return -ENOMEM; ++ } ++ ++ r = asprintf(&t, "/dev/%s", basename(buf)); ++ if (r < 0) { ++ fprintf(stderr, "Out of memory.\n"); ++ return -ENOMEM; ++ } ++ + errno = 0; + b = blkid_new_probe_from_filename(t); +- free(t); + if (!b) { + if (errno != 0) { +- fprintf(stderr, "Failed to open file system %s: %m\n", p); ++ fprintf(stderr, "Failed to open file system %s on %s: %m\n", p, t); ++ free(t); + return -errno; + } + ++ free(t); + fprintf(stderr, "Out of memory.\n"); + return -ENOMEM; + } ++ free(t); + + blkid_probe_enable_superblocks(b, 1); + blkid_probe_set_superblocks_flags(b, BLKID_SUBLKS_TYPE); diff --git a/utils/libnetwork/Makefile b/utils/libnetwork/Makefile index cc445df1a..07206d9c2 100644 --- a/utils/libnetwork/Makefile +++ b/utils/libnetwork/Makefile @@ -1,7 +1,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libnetwork -PKG_RELEASE:=2 +PKG_RELEASE:=1 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE @@ -12,9 +12,9 @@ GO_PKG_BUILD_PKG:= \ PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://$(GO_PKG) -PKG_SOURCE_VERSION:=fa125a3512ee0f6187721c88582bf8c4378bd4d7 -PKG_SOURCE_DATE:=2020-12-15 -PKG_MIRROR_HASH:=f6fcc6c900c1d542dfede0f53691108f12b63ff20ecf870eebc0aa2df1848b24 +PKG_SOURCE_VERSION:=b3507428be5b458cb0e2b4086b13531fb0706e46 +PKG_SOURCE_DATE:=2021-01-26 +PKG_MIRROR_HASH:=421d1b7cd95d0d0ec2801ebb0b360416cd2382e1ef9e70f4ca5cb63fb6a4ee8c PKG_MAINTAINER:=Gerard Ryan <G.M0N3Y.2503@gmail.com> diff --git a/utils/mtools/Makefile b/utils/mtools/Makefile new file mode 100644 index 000000000..66400e5b5 --- /dev/null +++ b/utils/mtools/Makefile @@ -0,0 +1,70 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME:=mtools +PKG_VERSION:=4.0.26 +PKG_RELEASE:=$(AUTORELEASE) + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 +PKG_SOURCE_URL:=@GNU/mtools +PKG_HASH:=539f1c8b476a16e198d8bcb10a5799e22e69de49d854f7dbd85b64c2a45dea1a + +PKG_BUILD_PARALLEL:=1 +PKG_INSTALL:=1 + +PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com> +PKG_LICENSE:=GPL-3.0-only +PKG_LICENSE_FILES:=COPYING + +include $(INCLUDE_DIR)/package.mk + +define Package/mtools + SECTION:=utils + CATEGORY:=Utilities + SUBMENU:=Disc + TITLE:=Collection of utilities to access MS-DOS disks + URL:=https://www.gnu.org/software/mtools + DEPENDS:=+libbsd +endef + +define Package/mtools/description + Mtools is a collection of utilities to access MS-DOS disks from GNU and Unix without mounting them. +endef + +define Package/mtools/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/amuFormat.sh $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/mcheck $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/mcomp $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/mkmanifest $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/mtools $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/mxtar $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/tgz $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/uz $(1)/usr/bin/ + $(LN) uz $(1)/usr/bin/lz + $(LN) mtools $(1)/usr/bin/mattrib + $(LN) mtools $(1)/usr/bin/mbadblock + $(LN) mtools $(1)/usr/bin/mcat + $(LN) mtools $(1)/usr/bin/mcd + $(LN) mtools $(1)/usr/bin/mclasserase + $(LN) mtools $(1)/usr/bin/mcopy + $(LN) mtools $(1)/usr/bin/mdel + $(LN) mtools $(1)/usr/bin/mdeltree + $(LN) mtools $(1)/usr/bin/mdir + $(LN) mtools $(1)/usr/bin/mdu + $(LN) mtools $(1)/usr/bin/mformat + $(LN) mtools $(1)/usr/bin/minfo + $(LN) mtools $(1)/usr/bin/mlabel + $(LN) mtools $(1)/usr/bin/mmd + $(LN) mtools $(1)/usr/bin/mmount + $(LN) mtools $(1)/usr/bin/mmove + $(LN) mtools $(1)/usr/bin/mpartition + $(LN) mtools $(1)/usr/bin/mrd + $(LN) mtools $(1)/usr/bin/mren + $(LN) mtools $(1)/usr/bin/mshortname + $(LN) mtools $(1)/usr/bin/mshowfat + $(LN) mtools $(1)/usr/bin/mtoolstest + $(LN) mtools $(1)/usr/bin/mtype + $(LN) mtools $(1)/usr/bin/mzip +endef + +$(eval $(call BuildPackage,mtools)) diff --git a/utils/podman/Makefile b/utils/podman/Makefile index 5c9744a44..c97ba3e22 100644 --- a/utils/podman/Makefile +++ b/utils/podman/Makefile @@ -1,9 +1,9 @@ include $(TOPDIR)/rules.mk PKG_NAME:=podman -PKG_VERSION:=3.0.1 +PKG_VERSION:=3.1.1 PKG_RELEASE:=$(AUTORELEASE) -PKG_HASH:=259e682d6e90595573fe8880e0252cc8b08c813e19408b911c43383a6edd6852 +PKG_HASH:=4e6fb106c6363566b6edc4ac6caee0bdf6b788e01255c3b3bfcb64f4b6842229 PKG_SOURCE_URL:=https://github.com/containers/podman/archive/v$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz @@ -17,7 +17,7 @@ PKG_BUILD_PARALLEL:=1 PKG_USE_MIPS16:=0 GO_PKG:=github.com/containers/podman/ -GO_PKG_BUILD_PKG:=github.com/containers/podman/v2/cmd/podman/ +GO_PKG_BUILD_PKG:=github.com/containers/podman/v3/cmd/podman/ include $(INCLUDE_DIR)/package.mk include ../../lang/golang/golang-package.mk @@ -79,9 +79,9 @@ endef Package/podman-selinux/conffiles = $(Package/podman/conffiles) ifeq ($(BUILD_VARIANT),selinux) - GO_PKG_TAGS=seccomp,exclude_graphdriver_devicemapper,selinux + GO_PKG_TAGS=seccomp,exclude_graphdriver_devicemapper,selinux,apparmor else - GO_PKG_TAGS=seccomp,exclude_graphdriver_devicemapper + GO_PKG_TAGS=seccomp,exclude_graphdriver_devicemapper,apparmor endif define Build/Prepare diff --git a/utils/podman/files/podman.init b/utils/podman/files/podman.init index 1df70407f..fe85646e7 100755 --- a/utils/podman/files/podman.init +++ b/utils/podman/files/podman.init @@ -1,6 +1,7 @@ #!/bin/sh /etc/rc.common START=99 +STOP=10 USE_PROCD=1 NAME=podman PROG=/usr/bin/podman @@ -12,3 +13,8 @@ start_service() { procd_append_param command $command procd_close_instance } + +shutdown() { + ${PROG} pod stop -a + ${PROG} container stop -a +} diff --git a/utils/tmux/Makefile b/utils/tmux/Makefile index d180cad38..f7f835faa 100644 --- a/utils/tmux/Makefile +++ b/utils/tmux/Makefile @@ -2,12 +2,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=tmux -PKG_VERSION:=3.1c -PKG_RELEASE:=1 +PKG_VERSION:=3.2 +PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/tmux/tmux/tar.gz/$(PKG_VERSION)? -PKG_HASH:=b9617dd4d1c541ebc21b6b5760d58102fc039a593786aab273b5dd95dd514bea +PKG_HASH:=290a2f25a2f26c649f7ec7f2880586b8d3f43e24d7cb42c691f430941edb4fcf PKG_MAINTAINER:=Maxim Storchak <m.storchak@gmail.com> PKG_LICENSE:=ISC @@ -25,7 +25,7 @@ define Package/tmux CATEGORY:=Utilities SUBMENU:=Terminal TITLE:=Terminal multiplexer - DEPENDS:=+libncurses +libevent2 +libpthread +librt + DEPENDS:=+libncurses +libevent2-core +libpthread +librt URL:=http://tmux.github.io/ endef diff --git a/utils/tmux/patches/100-add-crosscompiling-fallbacks.patch b/utils/tmux/patches/100-add-crosscompiling-fallbacks.patch new file mode 100644 index 000000000..83762df7c --- /dev/null +++ b/utils/tmux/patches/100-add-crosscompiling-fallbacks.patch @@ -0,0 +1,24 @@ +commit bb6242675ad0c7447daef148fffced882e5b4a61 +Author: Nicholas Marriott <nicholas.marriott@gmail.com> +Date: Thu Apr 15 06:45:19 2021 +0100 + + Add crosscompiling fallbacks, from Hasso Tepper. + +--- a/configure.ac ++++ b/configure.ac +@@ -163,6 +163,7 @@ AC_RUN_IFELSE([AC_LANG_PROGRAM( + [return (reallocarray(NULL, 1, 1) == NULL);] + )], + AC_MSG_RESULT(yes), ++ [AC_LIBOBJ(reallocarray) AC_MSG_RESULT([no])], + [AC_LIBOBJ(reallocarray) AC_MSG_RESULT([no])] + ) + AC_MSG_CHECKING([for working recallocarray]) +@@ -171,6 +172,7 @@ AC_RUN_IFELSE([AC_LANG_PROGRAM( + [return (recallocarray(NULL, 1, 1, 1) == NULL);] + )], + AC_MSG_RESULT(yes), ++ [AC_LIBOBJ(recallocarray) AC_MSG_RESULT([no])], + [AC_LIBOBJ(recallocarray) AC_MSG_RESULT([no])] + ) + diff --git a/utils/uvol/files/autopart.defaults b/utils/uvol/files/autopart.defaults index c35b238ad..b6a3cdd60 100644 --- a/utils/uvol/files/autopart.defaults +++ b/utils/uvol/files/autopart.defaults @@ -2,9 +2,29 @@ . /lib/functions.sh . /lib/upgrade/common.sh +. /usr/share/libubox/jshn.sh OWRT_VOLUMES=owrt-volumes + +get_partition_by_name_gpt() { + local dev="$1" + local part parts node name + json_load "$(sfdisk -J "/dev/$dev" 2>/dev/null)" + json_select "partitiontable" || return + json_select "partitions" || return + json_get_keys parts + for part in $parts; do + json_select "$part" + json_get_vars node name + if [ "$2" = "$name" ]; then + echo "$node" + break + fi + json_select .. + done +} + part_fixup() { echo "write" | sfdisk --force -q -w never $1 } @@ -57,20 +77,22 @@ lvm_init() { autopart_init() { local diskdev local lvmpart - local diskserial + local diskserial diskhash export_bootdevice && export_partdevice diskdev 0 [ "$diskdev" ] || return - [ -e "/sys/class/block/$diskdev/device/serial" ] && diskserial=$(cat /sys/class/block/$diskdev/device/serial) - + [ -e "/sys/class/block/$diskdev/device/serial" ] && diskserial="$(cat /sys/class/block/$diskdev/device/serial)" + [ -e "/sys/class/block/$diskdev/device/cid" ] && diskserial="$diskserial$(cat /sys/class/block/$diskdev/device/cid)" + [ "$diskserial" ] || diskserial="$(cat /proc/sys/kernel/random/uuid)" + diskhash="$(echo $diskserial | sha256sum | cut -d' ' -f1)" part_fixup /dev/$diskdev create_lvm_part /dev/$diskdev || return - lvmpart=$(get_partition_by_name $diskdev $OWRT_VOLUMES) + lvmpart=$(get_partition_by_name_gpt $diskdev $OWRT_VOLUMES) [ "$lvmpart" ] || return - lvm_init /dev/$lvmpart "${OWRT_VOLUMES}${diskserial:+-${diskserial:2}}" + lvm_init $lvmpart "${OWRT_VOLUMES}-${diskhash:0:16}" } autopart_init diff --git a/utils/uvol/files/lvm.sh b/utils/uvol/files/lvm.sh index 4a20f628d..c250be534 100644 --- a/utils/uvol/files/lvm.sh +++ b/utils/uvol/files/lvm.sh @@ -231,7 +231,9 @@ createvol() { [ "$lv_full_name" ] || return 22 lvm_cmd lvchange -a y "$lv_full_name" || return 1 if [ $lv_size -gt $(( 100 * 1024 * 1024 )) ]; then - mkfs.f2fs -f -l "$1" "$lv_path" || return 1 + mkfs.f2fs -f -l "$1" "$lv_path" + ret=$? + [ $ret != 0 ] && [ $ret != 134 ] && return 1 else mke2fs -F -L "$1" "$lv_path" || return 1 fi @@ -271,7 +273,7 @@ listvols() { local reports rep lv lvs lv_name lv_size lv_mode volname volname=${1:-.*} json_init - json_load "$(lvs -o lv_name,lv_size -S "lv_name=~^[rw][ow]_$volname\$ && vg_name=$vg_name")" + json_load "$(lvs -o lv_name,lv_size -S "lv_name=~^[rw][owp]_$volname\$ && vg_name=$vg_name")" json_select report json_get_keys reports for rep in $reports; do |