In the original commit I used the wrong name for the package in the
Makefile and various other files which caused the package to not build.
Unify the naming to "cloud" to fix the package build.
Fixes: 5ee205bd31 ("ddns-scripts: add Hetzner Cloud support")
Signed-off-by: Christopher Obbard <obbardc@gmail.com>
Add a new Hetzner DDNS provider using the Hetzner Cloud API
(api.hetzner.cloud) with Bearer token authentication.
Configuration guide:
* set [domain] to domain
* set [username] to subdomain (without domain)
* set [password] to Bearer API key
Signed-off-by: Christopher Obbard <obbardc@gmail.com>
Since the RFC-1918 in-addr.arpa empty zones are automatically created,
they will exist, but we can't use modzone on them because that's not
how things work.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
The RFC-1918 zones are automatically synthesized locally by bind
to avoid forwarding queries about them to root nameservers. As
a result, we can't easily replace them with rndc addzone on the
fly. We need this for DHCP integration.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
* add an option dnsmasq_validity_check to enable removal of invalid
domains from the final dnsmasq files
* renamed option sanity_check to dnsmasq_sanity_check
* better names for Format Filters and Parse Filters variables
Signed-off-by: Stan Grishin <stangri@melmac.ca>
new service provider namesilo.com
config guide:
* set [domain] to apex domain
* set [username] to subdomain (without apex domain)
* set [password] to api key
Signed-off-by: Lin Fan <im.linfan@gmail.com>
* add interface information to the dns report
* support multiple tcpdump interfaces ('any') in the dns report properly
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fix compiling bundled Kerberos library on several 32-bit architectures
by linking with libatomic.
Disable kernel keyring being picked up from a dirty buildbot
environment.
Signed-off-by: George Sapkin <george@sapk.in>
This software seems no longer maintained by upstream.
Both PKG_SOURCE_URL and URL are dead, and
no package depends on this.
Signed-off-by: Yanase Yuki <dev@zpc.st>
This option is required for the proxy to be transparent, and has been
supported since at least 2009. Description taken from upstream.
Signed-off-by: Xu Wang <xwang1498@gmx.com>
New upstream release. Changelog:
appid: configurable midstream service discovery
appid: prefer QUIC client appid over SSL
appid: prevent out-of-bounds read in bootp option parsing
appid: prevent out-of-bounds read in sslv2 server-hello detection
control: refactor connection ownership model and improve thread safety
extractor: avoid reporting default values for missing SSL fields
file_api: coverity fix
flow: refactor dump_flows command to dump flow state in binary format
mime: fix compile issues
react: block flow when packets are not reset candidates
show_flows: implement utility program to convert dump_flows binary files to text Flow state data for each flow
smtp: handle split CRLF in multi-line response parsing
ssl: ssl client hello event is published with empty hostname
% snort --version
,,_ -*> Snort++ <*-
o" )~ Version 3.10.2.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.24
Using Vectorscan version 5.4.12 2026-01-11
Using libpcap version 1.10.5 (with TPACKET_V3)
Using LuaJIT version 2.1.0-beta3
Using LZMA version 5.8.1
Using OpenSSL 3.5.4 30 Sep 2025
Using PCRE2 version 10.47 2025-10-21
Using ZLIB version 1.3.1
Signed-off-by: John Audia <therealgraysky@proton.me>
New upstream release. Changelog:
alert_fast: ensure call_once definition doesn't collide in std vs glibc, thanks to krag on GitHub for suggesting this fix
alert_json: add support for logging appid, thanks to ssam18 on GitHub for suggesting this change
appid: add check to avoid setting brute force state for pending sessions that are pruned
appid: allow out-of-order packet inspection in third-party engine
appid: check for Lua table errors during initialization and cleanup
appid: enable out-of-order inspection by default
appid: fix client process regex mapping logic
appid: fix eve process handler event debug logging
appid: fix setting global ssh ignore flag
appid: fix size check in TFTP service detector
appid: mDNS TXT records parsing and deviceinfo event generation
appid: prevent multiple out-of-bounds reads in ssl
build: address compilation warnings
build: fix Coverity warnings in related components
cmake: fix pkg-config path for libdir, thanks to brianmcgillion on GitHub for submitting a similar fix
decoder: adding encode function for TransbridgeCodec
dns: add fix infinite recursion vulnerability
file: use new EVP functions rather than deprecated SHA functions
flow: add logs to show different ways a flow can fail to create
ftp_telnet: fix coverity errors and improve cmd_len configurability
ftp_telnet: fix ftp_cmd_pipe_index handling
ftp_telnet: Handle malformed traffic in ftp to generate alert
hash: update hashes to use new EVP functions, thanks to
http_inspect: add urlencoded to content-type list
http_inspect: fix coverity error
iec104: fix IEC 104 SQ0 bounds checks by removing duplicate asdu_size_map entries and using IO_GROUP sizes, preventing out-of-bounds reads
iec104: validate Type I length to prevent ASDU out-of-bounds read
ips_options: fix cursor position for byte_extract
ips_options: reset PCRE rule counts on new configuration loaded
main: update dioctl daqSnort latency common change
mime: add unit tests for data fitting memory limit
mime: add unit tests for data over memory limit
mime: add unit tests for file logging
mime: fix mime boundary parsing
mime: ignore field collection if not configured
mime: implement content parsing of multipart/form_data
mime: improve form-data collection for incomplete boundaries
mime: leave room for null-character in case of size limit hit
mime: remove unused forward-declaration
mime: rename class field to comply with the style
mime: return error code if cannot add headers for logging
pub_sub: add is_urlencoded method
sip: fix out-of-bounds reads in sip_parse_sdp_m
smb,dlp: update filename,filesize of FileInfo handling to enable dlp evaluation for repeated txns
smtp: usage of config cmds
snort2lua: fix failure in converting patterns containing commas
snort_ml: enable client body scanning by default
snort_ml: scan multipart form data
ssl: free certificate data if certificate length is 0
ssl: tls client hello check out of bounds fix
unified2: use proper API for obtaining VLAN ID from packet
% snort --version
,,_ -*> Snort++ <*-
o" )~ Version 3.10.1.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2025 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.24
Using Vectorscan version 5.4.12 2026-01-11
Using libpcap version 1.10.5 (with TPACKET_V3)
Using LuaJIT version 2.1.0-beta3
Using LZMA version 5.8.1
Using OpenSSL 3.5.4 30 Sep 2025
Using PCRE2 version 10.47 2025-10-21
Using ZLIB version 1.3.1
Signed-off-by: John Audia <therealgraysky@proton.me>
* rework DNS reporting: more reliable, more information (request type), better performance
* fixed minor issues
* readme update
* LuCI: added new DNS page (incl. Allowed/Blocked canvas)
Signed-off-by: Dirk Brenken <dev@brenken.org>
Fixes security issues:
- CVE-2025-13878: Malformed BRID and HHIT records could trigger an
assertion failure.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This eliminates a dependency on the unmaintained passlib
(python3-passlib) package and add a dependency on libpass, a maintained
fork of passlib: https://github.com/Kozea/Radicale/pull/1953
In addition Radicale auth type 'autodetect' for `htpasswd` auth has
been improved by upstream.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Redirect stdout and stderr to /dev/null when starting/restarting the ddns
service in the background. Without this redirection, file descriptors are
inherited by the child process, preventing proper process detachment and
causing luci's XHR requests to timeout.
We update the missing sections defaults to match the upstream default,
which are also our defaults when there is an UCI configuration, and
are also the defaults for the LuCI app.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
We update the initscript to rebuild the radicale3 target configuration
file and then HUP the radicale3 process to reload it, on a reload
event, rather than the default which does not regenerate the target
configuration.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
With recent changes to the proposed PR
(https://github.com/openwrt/luci/pull/8216) for the LuCI app for
radicale3, it is not longer necessary that uncommented configuration
be present in /etc/config/radicale3 for the LuCI app to work.
Therefore make the initial uci config commented sample only.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
When LuCI uploads files like the SSL key and certificate, it makes the
files readable only by root. Since radicale is running as a
non-privileged user it is unable to access a certificate and key
uploaded by LuCI, therefore when SSL cert and key (and optional CA) are
configured, make them group radicale3 and group readable, so the
radicale server can use them.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
This is required to fix the following error:
kea-dhcp4: ERROR [kea-dhcp4.dhcpsrv.548449842384] DHCPSRV_MEMFILE_FAILED_TO_OPEN Could not open lease file: invalid path specified: '/var', supported path is '/var/lib/kea'
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This is required to fix the following error:
kea-dhcp-ddns[3115]: 2026-01-15 20:00:36.776 FATAL [kea-dhcp-ddns.dctl/3115.547785590368] DCTL_CONFIG_FILE_LOAD_FAIL DhcpDdns reason: 'socket-name' is invalid: socket path:/var/run/kea does not exist or does not have permssions = 750
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* added firewall rules based on nftables in a separate isolated nftables table (inet adblock)
and chains (prerouting), with MAC addresses stored in an nftables set.
Implemented the following firewall‑integrated features:
* external DNS Routing (unfiltered): routes DNS queries from selected devices or interfaces
to an external unfiltered DNS resolver
* external DNS Routing (filtered): routes DNS queries from selected devices or interfaces
to an external filtered DNS resolver
* force DNS: blocks or redirects all external DNS traffic from selected interfaces
to ensure that clients use the local resolver
* removed the optional generation of an additional jail list (only supported bydnsmasq),
use the new, resolver independent ext. DNS routing instead
* removed the pz-client-ip feature (only supported by bind),
use the new, resolver independent ext. DNS routing instead
* removed the obsolete, hardcoded fw4 rules for DNS enforcement
existing rules will be removed via uci-defaults script after adblock update
* changed the Jail mode to a simple allowlist-only mode
* fixed minor issues in the mail template
* readme update
* LuCI: added a new config tab "Firewall Settings"
* LuCI: fixed minor usability issues
Signed-off-by: Dirk Brenken <dev@brenken.org>
Added logic to extract and match DNS record ID from parameters,
with fallback to default selection if no match is found.
Signed-off-by: QiLei Niu <qilei.niu@gmail.com>
Add missing provider entry for apertodns.com-token.
The service configuration (apertodns.com-token.json) was already
merged in PR #28160, but the provider list entry was missing.
Signed-off-by: Andrea Ferro <support@apertodns.com>
