| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| | |
* fix a potential race condition during initial startup (after flash) which leads to a "disabled" service
Signed-off-by: Dirk Brenken <dev@brenken.org
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |\ \
| | |
| | | |
treewide: prepare packages for OpenSSL 3.0 update
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This adds an upstream commit to allow building with OpenSSL 3.0.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This adds a patch from upstream allowing to build with OpenSSL 3.0.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Remove a call to CRYPTO_mem_ctrl(), which is used only for debugging,
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
This is the latest version and brings compatibility with OpenSSL 3.0.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This version adds compatibility with OpenSSL 3.0.
There's a patch, submitted upstream, to fix building without SSL.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add -Wno-error=deprecated-declarations to CFLAGS to allow usage of
deprecated API.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Jan Hák <jan.hak@nic.cz>
|
| |\ \ \
| |_|/
|/| | |
transmission: retrieve boolean config opts using `config_get_bool`
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The tranmission UCI config options
- `config_overwrite`
- `incomplete_dir_enabled`
- `watch_dir_enabled`
are all booleans, so we have to retrieve them using `config_get_bool` in order
to make sure they are properly interpreted in case the user sets them to a
keyword (`true`/`false`, `on`/`off` etc.) and not an integer (`0`/`1`).
Signed-off-by: Salim B <git@salim.space>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Stan Grishin <stangri@melmac.ca>
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
* implement procd_boot_wan_timeout support
* update config with oisd ABPlus and domains lists
Signed-off-by: Stan Grishin <stangri@melmac.ca>
|
| |\ \ \
| | | |
| | | | |
simple-adblock: update to 1.9.4-1
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* update default config for new oisd.nl lists
* conf.update file to migrate oisd.nl lists to the new format
* introduce AdBlockPlus lists support (new oisd.nl format)
* longer wait for WAN up/gateway detection
* make load_environemnt only execute once to suppress duplicate
warnings/errors
PS. While I was testing this, oisd.nl has brought back the old domains
lists as well, so this version supports both as I'm unclear as to
why the "big" ABPlus list is only 6.2Mb where as the "big" domains
list is whopping 19.9Mb.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
|
| |\ \ \
| | | |
| | | | |
banip: release 0.8.0 (nft rewrite)
|
| | | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- complete rewrite of banIP to support nftables
- all sets are handled in a separate nft table/namespace 'banIP'
- for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
- full IPv4 and IPv6 support
- supports nft atomic set loading
- supports blocking by ASN numbers and by iso country codes
- 42 preconfigured external feeds are available, plus local allow- and blocklist
- supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
- auto-add the uplink subnet to the local allowlist
- provides a small background log monitor to ban unsuccessful login attempts in real-time
- the logterms for the log monitor service can be freely defined via regex
- auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
- fast feed processing as they are handled in parallel as background jobs
- per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
- automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
- automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
- supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
- provides comprehensive runtime information
- provides a detailed set report
- provides a set search engine for certain IPs
- feed parsing by fast & flexible regex rulesets
- minimal status & error logging to syslog, enable debug logging to receive more output
- procd based init system support (start/stop/restart/reload/status/report/search)
- procd network interface trigger support
- ability to add new banIP feeds on your own
- add a readme with all available options/feeds to customize your installation to your needs
- a new LuCI frontend will be available in due course
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
* adapted changed oisd downloads (again), fixed #20516
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| | | |
| | |
| | |
| | |
| | |
| | | |
add support for port-range dailer, port-range listener
Signed-off-by: Dengfeng Liu <liudf0716@gmail.com>
|
| | |/
|/|
| |
| |
| |
| | |
Dropped architectures that are no longer supported by upstream.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
|
| | |
| |
| |
| | |
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
|
| | |
| |
| |
| | |
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
|
| |/
|
|
|
|
|
|
|
|
| |
* adapted changed oisd namings / download locations
oisd_big (old: oisd_full), oisd_small (old: oisdb_basic)
* added antipopads as new sources
* removed broken energized source
* fixed readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
|
| |
|
|
| |
Signed-off-by: Ralf Kaiser <skyper@thc.org>
|
| |\
| |
| | |
unbound: update to version 1.17.1
|
| | |
| |
| |
| |
| |
| |
| | |
- Refreshed one patch
- Removed deprecated AUTORELEASE
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Van Waholtz <brvphoenix@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
|
| | |
| |
| |
| | |
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
|
| | |
| |
| |
| | |
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
|
| | |
| |
| |
| | |
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
|
| | |
| |
| |
| | |
Signed-off-by: Fabian Lipken <dynasticorpheus@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
Samba4 running as Active Directory Domain Controller with the internal
DNS backend requires the nsupdate binary with GSSAPI support.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
| | |
| |
| |
| | |
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
|
| | |
| |
| |
| |
| |
| |
| | |
Bug was introduced in a7b770eec4370087a5ccd27887386dac9266214e and
results in bind always stating with the `-4` flag.
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* add boot() function which waits for network.interface to come up
* switch oisd.nl hosts entry to domains
* remove erroneous oisd substitution from config-update file
Signed-off-by: Stan Grishin <stangri@melmac.ca>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Update tailscale to version 1.36.0
- Patch iptables support
Tailscale does not (yet) support nftables.
Tailscale allows running with --netfilter=off allowing
end-user to create his own firewall rules, but this
affects only tailscale cli, not tailscaled daemon, so
connection cannot be made without error telling that
tailscaled was unable to determine execute iptables
for determining it's version.
There is a work-around for those who do not want
nft-iptables compatibility package; they can create
a script to /usr/bin/iptables which responds to
--version argument and echos fake version string
and on any other arguments or no arguments, just exits.
After this procedure and starting tailscale cli with
netfilter off- it works. Openwrt has moved on to
nftables, so iptables manipulation seems unnecessary.
Especially for other reasons, on Openwrt, firewall
should be configured on it's own, because firewall
rules made by other software, such as tailscale,
loose their firewalling rules when firewall restarts.
So I patched it to allow "fake" iptables pointing
to executable /bin/false and ignoring version
request. And I also set cli to default to
netfilter off setting.
If still end-user wants to use iptables, this
patch does not make it impossible; just install
iptables, or nft-iptables, and run tailscale
with argument --netfilter=on and it works out
as it did before, tailscaled daemon still
matches with iptables if it is found in $PATH.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
|
| | |
| |
| |
| | |
Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
|
| | |
| |
| |
| | |
Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>
|
| | |
| |
| |
| | |
Signed-off-by: Sibren Vasse <github@sibrenvasse.nl>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Update crowdsec-firewall-bouncer to latest upstream release version 0.0.25
Signed-off-by: S. Brusch <ne20002@gmx.ch>
Maintainer: Kerma Gérald <gandalf@gk2.net>
Run tested: ipq40xx/generic, Fritzbox 4040, Openwrt 22.03.3
Rework:
- now based on uci config file
- create nftables tables and chains in initd script
|
| | |
| |
| |
| | |
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
|
| | |
| |
| |
| |
| |
| |
| | |
Link: https://github.com/openwrt/packages/pull/19872
Signed-off-by: Li Xin <i@crzidea.com>
(squash commits)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| | |
| |
| |
| |
| |
| | |
- Update haproxy download URL and hash
Signed-off-by: Christian Lachner <gladiac@gmail.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes CVEs:
- CVE-2022-3924: Fix serve-stale crash when recursive clients
soft quota is reached.
- CVE-2022-3736: Handle RRSIG lookups when serve-stale is
active.
- CVE-2022-3094: An UPDATE message flood could cause named to
exhaust all available memory. This flaw was addressed by adding
a new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been added to
record events when the update quota is exceeded, and the XML and
JSON statistics version numbers have been updated.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Upstream bump
Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B
Signed-off-by: John Audia <therealgraysky@proton.me>
|
| | |
| |
| |
| | |
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
|
| | |
| |
| |
| | |
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
|