This lets the --peer-fingerprint openvpn option be parsed which requires
a client TLS certificate fingerprint (colon separated SHA256 hash) to
match one specified in the option argument, during authentication.
Signed-off-by: Ben Kibbey <bjk@luxsci.net>
acme.sh supports --httpport and --tlsport options to be used
together with --standalone and --alpn modes respectively.
This is useful if we're behind a reverse proxy or smth like that
or if we cannot bind to standard 80 or 443 port for some other
reason.
This change makes listen_port from configuration to be passed as
either --httpport or --tlsport
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
It's possible that staging_moved variable is undeclared while being
accessed. Lets explicitly declare it.
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
listen_port option allows to redefine the default 80/443 port
used in standalone/alpn challenges.
It's also useful for other types of challenges which require
accepting a connection on some TCP port so we need to expose
it via nft as well.
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
Update to version 0.13.0 that provides compatibility with cmake 4.0.
(new cmake version require at least cmake 3.5 requirement declared
in CMakeLists.txt)
* remove the temporary patch for CMakeLists.txt
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Unfortunately, this package has not been well maintained since 2021,
when Jan left CZ.NIC. Its usage on OpenWrt devices is limited.
It is a very specific package,
and I believe there will not be enough users
to maintain it, as no one from the community has stepped up to update it.
Running it on a dedicated server makes sense, but on OpenWrt?
Maybe only on x86_64 and aarch64 devices, as they are significantly more powerful.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Makefile changes
----------------
1. The location of uMurmur binary was changed to /sbin
in release 0.3.1. See release notes [1]
2. I need to specify location of the library file instead of
the directory.
Fixes:
CMake Warning at src/CMakeLists.txt:44 (target_link_libraries):
Target "umurmurd" requests linking to directory
"/build/staging_dir/target-powerpc_8548_musl/usr/lib".
Targets may link only to libraries. CMake is dropping the item.
CMake Warning at src/CMakeLists.txt:44 (target_link_libraries):
Target "umurmurd" requests linking to directory
"/build/staging_dir/target-powerpc_8548_musl/usr/lib".
Targets may link only to libraries. CMake is dropping the item.
Because of these two warnings, the build fails with
undefined references to
protobuf-c symbols (e.g. protobuf_c_message_get_packed_size).
Patches
-------
Removed all of them, because they are included in
the upstream source code.
[1] https://github.com/umurmur/umurmur/releases/tag/v0.3.1
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Move CONFLICTS definition to the respective v4 packages to avoid
creating a recursive dependency.
Fixes: ee3b06e42 ("nfs-kernel-server: provide a NFSv3 and NFSv4 daemon")
Fixes: #27555
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This resolves this failure observed when building on a 6.12 kernel:
Package kmod-openvswitch is missing dependencies for the following libraries:
psample.ko
The psample module is provided by kmod-sched-act-sample.
Closes: https://github.com/openwrt/packages/issues/26571
Signed-off-by: Mathew McBride <matt@traverse.com.au>
boostorg.jfrog.io is no longer available for download, so remove it.
use archives.boost.io (fastly cdn) to download first.
Signed-off-by: Andy Chiang <AndyChiang_git@outlook.com>
Makefile:
* update version/release
Init Script:
* boot up reliability improvements:
- change START from 50 to 20 to ensure procd_add_raw_trigger works on boot
- better logic of checking/using the cache/compressed cache on boot
* new dnsmasq handling/integration logic:
- new logic for checking dnsmasq functionality (similar to dnsmasq init script)
- instead of copying/duplicating adblock-fast files per specified dnsmasq instance, create one file
and add softlinks to it for specified dnsmasq instances and make sure it's in the instance's addnmounts
- update dnsmasqConfFile, dnsmasqIpsetFile and dnsmasqNftsetFile to point to the same filename as the
logic for integrating with dnsmasq is the same for those options
- get the confdir for specified dnsmasq instances via ubus info/config file since the config_get is broken
between releases by https://github.com/openwrt/openwrt/pull/14975
- update clean-up procedures for other dns backend settings to properly clean up when switching away from
dnsmasq.conf, dnsmasq.ipset, dnsmasq.nftset where the new logic is used
- remove obsolete outputDnsmasqFileList variable and logic of building and using it
- only create compressed cache in service_started after successful resolver restart with the block-file
* new package config / environment loading logic
- switch away from using `load_validate_config` to start functions to loading package config "manually"
- unset boolean variables which are non-true on package config load
- switch checking values of such variables from `-eq 0` to empty/non-empty
* debugging improvements:
- rename debug option to debug_init_script and proc_debug to debug_performance
- output performance debug info to log only when debug_performance is set
* miscellaneous changes:
- move best dl tool detection into its own function for reuse in adb_config_update
- change uci_changes function to return 0/1 instead of the text of changes
- improve mktemp calls reliability by creating the file and not using `-u` anymore
- add remove_cache/remove_gzip calls to adb_file function
- better readability of the start_serice logic determining the action
- change flock value from 207 to 209 to avoid collisions with pbr
- temporarily switch namespaces when using jshn functions to avoid collisions with PROCD
- move from using spaces to tabs in indentation in code
- prevent Command Not Found message on uninstall
- remove unneeded IPKG_INSTROOT check in the init script
- update all sourcing instructions to include IPKG_INSTROOT in the path
Uci-defaults script:
* transition old debug and proc_debug options to debug_init_script/debug_performance
Signed-off-by: Stan Grishin <stangri@melmac.ca>
fail2ban changes:
- nftables support (iptables dependency removed)
- python3 support (old package patches removed)
- Upstream patches backports:
- filter.d/dropbear.conf: failregex extended to match different format of "Exit before auth" message
- cherry-pick from debian: debian default banactions are nftables, systemd backend for sshd
- Removed unresponsive/unreachable maintainer.
Fixes: https://github.com/openwrt/packages/issues/23015 ("fail2ban: very old version")
Signed-off-by: Andrey Zotikov <andrey.zotikov@gmail.com>
add kmod-crypto-chacha20poly1305 kmod-crypto-lib-chacha20 kmod-crypto-lib-poly1305 for chacha20
Signed-off-by: Andy Chiang <AndyChiang_git@outlook.com>
Make libunwind support optional depending on package availability.
Previously, gperftools unconditionally enabled libunwind as
mandatory dependency, which led to build failures on architectures where
libunwind is not provided.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Summary:
The current build does not produce an NFSV4 capable package. This commit
fixes that providing a v3 and v4 variant to empower users to have either.
Approx. size differences between v3 and v4:
The v4 variant is approximately 16 MiB larger than the v3 variant
due to additional dependencies, kernel modules, etc.[1]
Detailed changes:
1. Split into a v3 and v4 version series of packages. In doing
this, the build-time V4 options are removed which is a major "win"
from a user's perspective because it means that for both release and
for snapshot builds, both options will be available to users of the
binary hosted packages.
2. Since V3 and V4 require different init processes, we should simplify
daemon management by providing a single init script unique to each
variant.
3. Added CPE_ID and PKG_LICENSE and also added myself as the Makefile
MAINTAINER.
Discussion about the v4 initd script:
It should be noted that mimicking the systemd implementation in an init.d
script with procd was not straight forward. There are some quirks
associated with the interplay of the five executables (listed below)
with procd, but despite of them, the init script works reliably based
on my somewhat extensive testing.
My observations and justification for the script as-is:
1a. procd_set_param command /usr/sbin/nfsdcld cannot be started with an
appended -F as doing so will somehow cause the executable to never
connect to the communication pipe: /var/lib/nfs/rpc_pipefs/nfsd/cld.
In fact, if you run `watch -n 1 tree /var/lib/nfs/rpc_pipefs` while
calling the init.d script to start, this pipe will quickly disappear
resulting in nfsdcld being unable to find it and thus fail to track
clients. On the other hand, starting it as I have in the init.d
script works as expected.
1b. Starting /usr/sbin/nfsdcld even with the -F arg outside of procd
also results in the communication pipe quickly disappearing.
2. Even though rpc.nfsd is a user space util, and even though it runs
and then exits, it must be started by procd with the procd_set_param
or else, the communication pipe: /var/lib/nfs/rpc_pipefs/nfsd/cld
will again quickly disappear breaking client tracking.
3. The addition of the umountem function keeps syslog output cleaner as
a shutdown of rpc.idmapd will cause the following to be logged:
daemon.warn rpc.idmapd[xxxxx]: dirscancb: scandir(/var/lib/nfs/rpc_pipefs//nfs): No such file or directory
Adding a 1 sec delay allows procd to kill it before we umount the
nfs related mounts to prevent that warning.
4. I can find no way to suppress rpc.idmapd and nfsv4.exportd reporting
that they received a SIGTERM (signal 15). The syslog will contain
two lines on exit, e.g.:
daemon.warn rpc.idmapd[1894]: exiting on signal 15
daemon.notice nfsv4.exportd[1893]: Caught signal 15, exiting.
The result of points 1 and 2 mean that if a users queries the status of
the daemon when running, (ie /etc/init.d/nfsv4d status), it will show:
running (2/4) despite the kernel serving up NFSV4 mounts 100% correctly.
I am unaware of a more perfect approximation of the systemd units.
List of the five needed calls:
* /usr/sbin/nfsv4.exportd (run once then quit)
* /usr/sbin/rpc.idmapd (needs to continue running)
* /usr/sbin/nfsdcld (needs to continue running)
* /usr/sbin/exportfs -r (run once then quit)
* /usr/sbin/rpc.nfsd -N 3 (run once then quit)
1. As assessed by comparing the uncompressed img files from a build of a
minimal image for x86/64 with the v3 variant vs with the v4.
Both variants have been tested and work.
v3:
On a network node, the NFSV3 export is fully functional:
% mount -t nfs -o vers=3 10.9.8.1:/mnt/data/nfs/misc ok
% mount | grep ok
10.9.8.1:/mnt/data/nfs/misc on /home/facade/ok type nfs (rw,relatime,vers=3,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,mountaddr=10.9.8.1,mountvers=3,mountport=32780,mountproto=udp,local_lock=none,addr=10.9.8.1)
v4:
On a network node, the NFSV4 export is fully functional:
% mount 10.9.8.1:/misc ok
% mount | grep ok
10.9.8.1:/mnt/data/nfs/misc on /home/facade/ok type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.9.8.102,local_lock=none,addr=10.9.8.1)
Finally, added 240-fix-cleanup_lockfiles-function-linkage-in-exportd.patch[1]
1. https://marc.info/?l=linux-nfs&m=175604879721922&w=2
From commit msg therein:
The cleanup_lockfiles function in utils/exportd/exportd.c was declared
as 'inline void' without a proper function prototype, causing linker
errors during the build process:
exportd.c:(.text+0x5a): undefined reference to `cleanup_lockfiles'
exportd.c:(.text.startup+0x317): undefined reference to `cleanup_lockfiles'
This occurred because:
1. The inline keyword prevented the compiler from generating a callable
function symbol in some build configurations
2. The function lacked a proper prototype declaration, triggering
-Werror=missing-prototypes
The fix changes the function to:
- Remove the 'inline' keyword to ensure symbol generation
- Add a proper static function prototype
- Make the function 'static' since it's only used within exportd.c
This resolves both the linking error and the missing prototype warning,
allowing exportd to build successfully in OpenWrt's cross-compilation
environment.
Co-authored-by: Maxim Storchak <m.storchak@gmail.com>
Co-authored-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: John Audia <therealgraysky@proton.me>
It should be working for mips*,
so enable it and let's see. :-)
In the past, there were some issues related to mips,
when the package was added, but these days, it appears
that these issues are gone. More details
about those issues could be found in the GitHub pull request
when gperftools was added. Reference is in the Fixes tag.
Fixes: c1b4e80825 ("gperftools: add new package")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
fixes CVE-2025-4820, CVE-2025-4821, CVE-2025-7054
adds python-yaml/host build dep as the dnsdist configuration handling
is now (since 2.0.0) generated at build time
Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
