Commit 1ea43c352 ("kea: fix kea-libs dependencies") replaced the
direct +log4cplus dependency on kea-libs with the virtual name
+log4cplus-any. With only one log4cplus implementation in the feed,
nothing actually PROVIDES log4cplus-any other than the auto-generated
"package name + -any" alias on log4cplus itself.
apk treats `-any`-suffixed names as ambiguous virtuals that the
admin must resolve explicitly, even when only one provider exists,
and refuses to install:
ERROR: unable to select packages:
log4cplus-any (virtual):
note: please select one of the 'provided by'
packages explicitly
provided by: log4cplus
required by: kea-libs-3.0.2-r7[log4cplus-any]
That bubbles up to every kea subpackage runtime test in CI
(kea-admin, kea-ctrl, every kea-dhcp* and kea-hook-*) and fails
the multi-arch test build with exit code 3.
Switch back to +log4cplus directly; the +libstdcpp addition from
that earlier commit stays — it was the genuinely useful part of
the change. Bump PKG_RELEASE for the redo.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Snapshot builds for i386_pentium-mmx (and presumably every other
target now that Boost 1.91 has been bumped in the feed) fail with::
src/lib/dns/rdataclass.cc:1401:5: error: 'BOOST_STATIC_ASSERT'
was not declared in this scope; did you mean
'BOOST_HAS_STATIC_ASSERT'?
1401 | BOOST_STATIC_ASSERT(sizeof(numdata_) ==
``BOOST_STATIC_ASSERT`` lives in ``<boost/static_assert.hpp>``. In
earlier Boost releases it was reachable through any number of
transitive includes pulled in by Kea's other DNS headers; in 1.91
those transitive paths have been pruned, so call sites must include
the declaring header explicitly. ``050-boost-static-assert.patch``
already does this for ``src/lib/log/logger_level_impl.cc``;
``src/lib/dns/rdataclass.cc`` uses the same macro at SOA::getMinimum()
to size-check ``numdata_`` and was missed.
Extend the existing patch with the matching include in rdataclass.cc.
Same fix shape as the earlier hunk; no behavioural change.
Build log:
https://downloads.openwrt.org/snapshots/faillogs/i386_pentium-mmx/packages/kea/
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Cover each user-facing subpackage with a real functional check instead
of relying solely on the CI's generic --version probe:
- knot: knotc conf-check on a minimal YAML server config
- knot-dig: kdig -h (CLI parser smoke check)
- knot-host: khost -h
- knot-nsupdate: feed 'quit' through the REPL
- knot-zonecheck: validate a minimal example.com zone file end to end
- knot-keymgr: initialise a KASP DB in a temp directory
knot-libs, knot-libzscanner, and knot-tests are library/harness
subpackages; the generic ELF/SONAME checks already cover them.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The RRL module's kru.inc.c has a `static_assert(ATOMIC_CHAR16_T_LOCK_FREE
== 2, ...)` that breaks the build on any target whose toolchain does
not advertise lock-free 16-bit atomics (e.g. ARMv5 arm926ej-s).
Upstream considers the assertion non-essential and plans to drop it;
they recommended a patch over a Makefile-level RRL disable. Bump
PKG_RELEASE for the patch swap.
Suggested-by: Daniel Salzman <daniel.salzman@nic.cz>
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Resolves several security issues:
- CVE-2026-3592: Limit resolver server list size.
- CVE-2026-3039: Fix GSS-API resource leak.
- CVE-2026-5950: Avoid unbounded recursion loop.
- CVE-2026-5947: Fix crash in resolver when SIG(0)-signed responses are
received under load.
- CVE-2026-3593: Add system test for HTTP/2 SETTINGS frame flood.
- CVE-2026-5946: Disable recursion, UPDATE, and NOTIFY for non-IN views.
Complete list of changes is available upstream at
https://ftp.isc.org/isc/bind9/9.20.23/doc/arm/html/changelog.html
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
* bugfix: only load the configuration once per run: a new `ban_confload`
guard short-circuits `f_conf()` on subsequent calls, avoiding
repeated `config_load` invocations
* new: the per-set report now sorts elements by their packet counter in
descending order before truncating to the top 50, so the report
shows the most active elements instead of just the first 50 found
Signed-off-by: Dirk Brenken <dev@brenken.org>
- f_search: refactored backup and local block-/allowlist scan to run in parallel
- f_search: raise the search timeout in backups to max. 90 seconds
- f_load: skip f_fetch for search action, no remote download is needed for local lookups
- f_dns: skip destructive paths (file wipe, f_dnsup) for search and report actions
- LuCI: adapt search backend changes in the frontend
- LuCI: minor frontend fixes & improvements
Signed-off-by: Dirk Brenken <dev@brenken.org>
Bump from 2.0.1 to the latest 2.0 LTS release. This pulls in
upstream commit 53cb738795 ("dnsdist: make code boost-1.91
compatible", Otto Moerbeek, 2026-04-29), which fixes the build
break against Boost 1.91 currently shipped by OpenWrt:
dnsdist-lua.cc:3086:101: error: converting to
'boost::optional<unordered_map<...>>' from initializer list
would use explicit constructor 'constexpr boost::optional<T>::
optional(U&&) [...]'
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Some FortiGate VPN gateways require a specific authentication realm
when multiple domains or user groups are configured on the same server.
This commit updates the netifd protocol script to parse the 'realm'
option from the UCI configuration and correctly append it to the
openfortivpn command line arguments.
Signed-off-by: Xing-Kai Wang <my@xkwang.org>
Add DDNS update support for blazingfast.io Anycast DNS via their
REST API. Authentication is performed via JWT token obtained from
the login endpoint. Zone records are fetched to verify the record
type before update, ensuring IPv4 services only target A records
and IPv6 services only target AAAA records.
Service, zone and record IDs are passed via param_opt as
space-separated key=value pairs:
service_id=X zone_id=Y record_id=Z
curl --config file approach is used throughout to avoid eval and
shell injection from user-controlled values. Supports both IPv4
and IPv6. For dual-stack, create two separate DDNS service sections
with their respective record IDs.
Tested on GL.iNet MT5000 (Brume 3) running OpenWrt with
ddns-scripts 2.8.2.
Signed-off-by: Fotios Kitsantas <fkitsantas@icloud.com>
Maintainer: Alexandru Ardelean <ardeleanalex@gmail.com>
ping @feckert
First of all big thanks to all involved devs, porting this to proto is not a minor task and besides some small quirks it is working well.
(Not all that happy with the use of a default route instead of /1 routes, because you loose internet if the tunnel goes down but that is just me nitpicking)
However I had problems with default routing as the host routes to the server endpoint were missing.
I tracked it down to code in the `openvpn-hotplug` script and made some changes and in my testing it appears to work now.
As a bonus I also added code for a future implementation of the `nohostroute` option.
Problem:
The host routes were created by just using route setup this however does not work.
Solution:
using `proto_add_host_dependency` seems the better solution.
Furthermore the correct guard for IPv6 seems to be `net_gateway_ipv6` instead of `route_ipv6_gateway` however even the correct guard is only working if ipv6 source routing is disabled on wan6, so perhaps we should consider removing the guard entirely.
For now I left it in place with a warning.
I have tested it on X86 running master build from 5 days ago, both for IPv4 and IPv6
Please have a look and consider implementing.
Thanks
Signed-off-by: Erik Conijn <egc112@msn.com>
The ola host build (HostBuild path that produces ola_protoc_plugin)
failed in clean buildbot environments with:
configure: error: Missing the uuid library
even though libuuid is provided by tools/util-linux and is staged
at $(STAGING_DIR_HOST)/lib/pkgconfig/uuid.pc.
Root cause: HOST_CONFIGURE_VARS overrode PKG_CONFIG_PATH with
PKG_CONFIG_PATH="$(STAGING_DIR_HOSTPKG)/usr/protobuf-compat/lib/\
pkgconfig:$(PKG_CONFIG_PATH)"
$(PKG_CONFIG_PATH) here is the make-time variable, which is never
set for host context (include/host-build.mk only exports it as a
per-rule env variable, not a make variable). It therefore expanded
to the empty string, and the resulting single-entry PKG_CONFIG_PATH
overrode the exported defaults from host-build.mk, hiding uuid.pc
from the host pkg-config wrapper.
Fix: refer to the env variable via shell expansion ($$PKG_CONFIG_PATH)
instead of the make variable. The make recipe expands $$ to $, and
the shell resolves $PKG_CONFIG_PATH from the inherited environment
populated by include/host-build.mk (which sets it to
$(STAGING_DIR_HOST)/lib/pkgconfig:$(HOST_BUILD_PREFIX)/lib/pkgconfig).
Fixes: 5e4f937e ("ola: use protobuf-compat instead of protobuf")
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
When luci-proto-openvpn is selected in `make menuconfig`,
openvpn-openssl is picked up automatically. As mbedTLS is the default
TLS package, set DEFAULT_VARIANT on openvpn-mbedtls so that it is used
by default.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Add DDNS update support for blazingfast.io Anycast DNS via their
REST API. Authentication is performed via JWT token obtained from
the login endpoint. Zone records are fetched to verify the record
type before update, ensuring IPv4 services only target A records
and IPv6 services only target AAAA records.
Service, zone and record IDs are passed via param_opt as
space-separated key=value pairs:
service_id=X zone_id=Y record_id=Z
curl --config file approach is used throughout to avoid eval and
shell injection from user-controlled values. Supports both IPv4
and IPv6. For dual-stack, create two separate DDNS service sections
with their respective record IDs.
Tested on GL.iNet MT5000 (Brume 3) running OpenWrt with
ddns-scripts 2.8.2.
Signed-off-by: Fotios Kitsantas <fkitsantas@icloud.com>
George Sapkin