In order to create a proper jail, we net the procd-ujail package.
Otherwise, AdGuardHome will run as unprivileged process,
and will not be able to listen on ports below 1024.
Signed-off-by: Alexander Krause <alexander.krause@cs.tu-dortmund.de>
- introduced a shared named nft limit (loglimit) referenced by
all log rules instead of per-rule limits, aligning with kernel printk rate limits
- added new 'ban_logratelimit' and 'ban_logburstlimit' UCI options for tuning
the shared log limit; setting ban_logratelimit=0 disables nft-side rate limiting
entirely (useful for ulogd or other userspace log handlers that bypass printk)
- LuCI: made the new UCI option available (Log Settings)
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
wgsd (WireGuard Service Discovery plugin) pulls in
golang.zx2c4.com/wireguard/wgctrl -> mdlayher/genetlink v1.2.0 ->
mdlayher/netlink v1.6.2. This version of netlink calls
mdlayher/socket's Sendmsg/Recvmsg with the old API signatures
(pre-context.Context, single-return-value Sendmsg), but coredns
itself requires mdlayher/socket v0.5.1 which changed these
signatures to include context.Context and return (int, error).
Add a go get step that upgrades netlink to v1.7.2 after the wgsd
plugin dependencies are pulled in, ensuring the build uses a
netlink version compatible with socket v0.5.x.
Should fix:
https://downloads.openwrt.org/snapshots/faillogs/i386_pentium-mmx/packages/coredns/compile.txt
```
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:35: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:33: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:127:42: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:142:41: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
github.com/aws/aws-sdk-go-v2/aws/protocol/query
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
github.com/aws/smithy-go/private/requestcompression
```
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The prosody.im upstream updated the 0.12.4 tarball in-place, changing
its content without bumping the version. Update PKG_HASH to match the
currently published tarball.
Fixes: f4d305b73 ("prosody: update to 0.12.4")
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update config for vrrp_script in keepalived.config.
Add option name, direction and timeout in config.
Add some docs for option weight and option direction.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Update keepalived.config to add config for section peer.
`peer` is a section that can be used via 'list unicast_peer'
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Add option timeout in vrrp_script section.
This option specifies the timeout duration for script execution.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
`track_script` and `vrrp_script` are both sections that run custom scripts
which handle priority of a vrrp_instance.
`track_script` is not supported by this uci implementation
`vrrp_instance` was still trying to fetch config for track_script from section
'track_script'.
After the changes, when listing track_script in vrrp_instance,
it tries to fetch config from section `vrrp_script` which is supported.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Add logic to parse track_script section for vrrp_sync_group.
Keepalived supports script tracking in vrrp_sync_group but this was not
implemented by the uci implementation.
Note that if a vrrp_script is added to a sync group, you cannot use
priority/weight for that script as a vrrp_sync_group does not have a
priority/weight attached to it. It will do up/down as whole.
This option is optional and wouldn't affect any older configurations
during upgrade.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Added options min_ttl and max_ttl in section peer. These options are
supported by keepalived but were not supported by the uci implementation.
This allows accepting packets within a specific TTL range.
These options are optional and wouldn't affect any older configurations
during upgrade.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Removed unnecessary option value. This was not needed as option name is
already being used. Also removed a condition where the section was not
parsed if option value was not given. Value was being used to name the
script. Now the option name is used as the name when the script is called
in track_script.
Also added a condition where the section is not parsed if
option name is not given. This is because the script cannot be called if
it does not have a name.
No upgrade script is required.
The removed `value` option in `vrrp_script` was previously used to
identify scripts referenced by `track_script`. However, this mechanism
was non-functional:
- `track_script` attempted to reference a `track_script` section, which
is not implemented in the UCI configuration.
- As a result, script references were not resolved correctly even if
`value` was defined.
With this change, `track_script` now correctly references the
`vrrp_script` section, and the `name` option is used as the identifier.
Since the previous behavior was not working as intended, removing the
`value` option does not break any valid existing configurations.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
The new updated config_section_open and close functions are now used in places
where they can be used. The following sections use these functions:
(inside vrrp_instance)
- virtual_ipaddress
- virtual_routes
- track_script
- track_interface
- track_bfd
- unicast_peer
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Add a parameter for indent in config_section_open and
config_section_close. Previously you had to separately add indents
while parsing if a section was inside another section.
Now this is supported by these two functions.
You can specify how much indent you need to add before opening or closing
a section.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Adjust the update error handling path to avoid hard failures on
recoverable errors. This allows ddns to retry updates after the
configured retry interval and improves reliability.
Signed-off-by: Tim Flubshi <flubshi@gmail.com>
Replace manual file loading via cat with json_load_file for parsing
JSON data. This uses the intended helper function and improves
code clarity and robustness.
Signed-off-by: Tim Flubshi <flubshi@gmail.com>
The netcup ddns update script fails on subsequent runs because a
readonly variable is assigned again. Fix this by removing the readonly
declaration to allow repeated execution.
Signed-off-by: Tim Flubshi <flubshi@gmail.com>
Prompted by
https://github.com/openwrt/luci/pull/8420#issuecomment-4071252681
we update upsmon configs to ensure they are correct according to
upstream. We reorder the options so that they match upstream
documentation at
<https://networkupstools.org/docs/man/upsmon.conf.html> to be sure
we have not missed any items.
While at it, we add configuration options from the upstream
documentation that are not currently present in the UCI configs.
Some years ago upstream changed the names the primary/secondary
UPS system/monitor from master/slave to primary/secondary. It
is uncertain how much longer these deprecated names will be
accepted by NUT.
Therefore update naming to match upstream documentation and
configuration. See
<https://networkupstools.org/docs/man/upsmon.html>,
<https://networkupstools.org/docs/man/upsmon.conf.html>, and
<https://networkupstools.org/docs/man/upsd.users.html>.
At the same time, prompted by
https://github.com/openwrt/packages/pull/28875#issuecomment-4079307540
we simplify the configuration and add checks to avoid bad configs
due to misspellings/typos of configuation options by users.
A sample config
config upsmon 'upsmon'
option notifycmd '/usr/bin/logger -t nut-monitor-exec '
config monitor
option type primary
option upsname upsname
option hostname localhost
option username upsuser
option password upspassword
config notifications 'ONLINE'
option message "UPS %s is on line power"
option flag "SYSLOG"
config notifications 'ONBATT'
option message "UPS %s is on battery power"
option flag "SYSLOG+EXEC"
In order to iterate through the notifications, we use named
'notifications' sections and compare the section name to list of
notification events defined by NUT. If they don't match, warn
during initscript startup.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
This upstream release allows clean builds against linux 6.18. Fix LUA
PacketScript build on 6.18 by switching to ccflags-y and restoring the
required -isystem include path. Remove compat_xtables since the module
no longer exists in 3.30 and drop all dependent kmod references.
Fix CI build failure with backport:
600-xt_pknock-fox-do_div-signness-mismatch.patch
Note that upstream tarball changed from xz to zst.
Signed-off-by: John Audia <therealgraysky@proton.me>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:Add nftables notrack for localhost traffic
- Removed. License is now included in the main project.
net/https-dns-proxy/Makefile:
- Bumped PKG_RELEASE to 5.
net/https-dns-proxy/files/etc/config/https-dns-proxy:
- Added 'option notrack_dns '1'' to the default configuration.
net/https-dns-proxy/files/etc/init.d/https-dns-proxy:
- Defined NOTRACK_NFT_FILE constant.
- Added 'notrack_dns' and 'notrack_ports' variables.
- Implemented 'notrack_nft' function to manage nftables rules for notracking local DNS traffic.
- Enabled loading of 'notrack_dns' boolean from configuration.
- Modified start_instance to collect listen_port into notrack_ports if notrack_dns is enabled.
- Modified start_service to call notrack_nft update/remove based on notrack_dns and collected ports.
- Modified stop_service to call notrack_nft remove.
- Updated service_started and service_stopped to trigger firewall config changes when notrack_dns is enabled.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* Switch Hagezi URL to a more compact higher-level only domains list as we
prefer it anyways and there's less processing (thanks @dave14305)
* When update_config_sizes is unset, save collected sizes to RAM to improve
luci app performance (thanks @sshaikh)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
fix: avoid unnecessary dnsmasq restarts (thanks @egc112)
fix: insert, not add dns policies to ensure higher priority than the DNS
hijack rules (thanks @egc112)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* flock/serialize the etag writing in the f_etag function
* added various variables to local scope
* LuCI: removed needless ACL
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added an separate adblock rundir (/var/run/adblock)
* refine the cpu/core detection
* behaviour change: allowlist domains now also removes subdomains from the blocklist
* flock/serialize the etag writing in the f_etag function
* code clean-up/linting
Signed-off-by: Dirk Brenken <dev@brenken.org>
Introduce a new `ipv6` proto option for OpenVPN netifd integration and
export it to the hotplug environment. IPv6 remains enabled by default,
but can now be explicitly disabled per instance.
Update the hotplug helper to apply IPv6 addresses and routes only when
IPv6 is enabled, allowing cleaner IPv4-only tunnel deployments.
Also improve route handling by:
- ignoring invalid default gateway values (0.0.0.0 / ::)
- replacing fixed `seq` loops with shell-safe while loops
- keeping trusted peer host routes conditional on valid gateways
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
* fixed the initialization of the banIP rundir (reported in the forum)
* sanitize possible windows line endings in local block- and allowlist
* refine the cpu/core detection
* code clean-up/linting
Signed-off-by: Dirk Brenken <dev@brenken.org>
Update the mdio-netlink kmod and userspace mdio-tools to version 1.3.2.
[v1.3.2] - 2026-04-14
---------------------
Build fixes and support for Microchip's paged PHYs.
Added:
- mdio: A new addressing mode "mscc": Used to access PHYs from
Microchip that uses C22 register 31 as a page register
Fixed:
- mdio: Fix VPATH builds and various other build related warnings
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Alexander Krause