* hardened the uci config parsing
* added a fast, flexible & secure IPv4/IPv6 validator function, it eliminates > 99 % of garbage inputs
Please note: The ‘rule’ in the feed file now only contains parameters for the IP validator;
details can be found in the readme file. Old custom feed files are not compatible and will be
backed up/removed via the uci-defaults script
* added BCP38 support: to block packets with spoofed source IP addresses in all supported chains
* optimized the log monitor plus performance improvements
* removed the pallebone feed (discontinued)
* added the ipexdbl feed
* various small improvements
* LuCI: add the BC38 option under Table/Chain Settings
* LuCI: updating the custom feed editor
* LuCI: small usability improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
Introduces the IPv6 Leases file by default. This file will display active IPv6 leases requested under the IPv6 PCP (Port Control Protocol) a.k.a IPv6 Pinholes.
miniupnpd must be compiled with ENABLE_UPNPPINHOLE set for this to take effect. This is taken care of currently by setting CONFIG_IPV6.
The lease file looks something like
Proto;ClientIP;ClientPort;RemoteIP;RemotePort;UID;Timestamp;Description
Signed-off-by: Michael Gray <michael.gray@lantisproject.com>
Add support for ApertoDNS dynamic DNS service with two configuration
options:
- apertodns.com: Standard DynDNS2 compatible authentication (user/pass)
- apertodns.com-token: Token-based authentication for DDNS clients
Both configurations support IPv4 and IPv6 updates via the standard
/nic/update endpoint.
Signed-off-by: Andrea Ferro <support@apertodns.com>
Support for configuring EAP-TLS authentication scheme is added.
Similar to EAP-MSCHAPv2, this one is usually asymmetric
in the way that server auth method (pubkey) is different from
the client auth method (eap-tls).
The code handles this asymmetry automatically.
Signed-off-by: Torbjorn Tyridal <torbjorn@tyridal.no>
* Various options have changed since radicale2, and the current
initscripts set configuration that prevents radicale3 from starting
in some cases. So update the options to radicale3.
* LuCI will not display the app when the config file is empty, so
uncomment the first (server section) line.
* Changed the default data directory to /var (emphemeral storage) as
OpenWrt policy is to not write flash by default. As with PostgreSQL,
to be useful the user will need to set configuration for an
appropriate path.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
* fix service_reload in initscript so it reloads configuration
* fold long lines for readability
* shellcheck is a useful linter, if a bit pedantic, so use it and
update script to address its warnings.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
This package is not compiled due to this build log failure:
```
adding 'radicale-2.1.12.dist-info/RECORD'
removing build/bdist.linux-aarch64/wheel
Successfully built radicale-2.1.12-py3-none-any.whl
Traceback (most recent call last):
File "<frozen runpy>", line 198, in _run_module_as_main
File "<frozen runpy>", line 88, in _run_code
File "/builder/shared-workdir/build/sdk/staging_dir/hostpkg/lib/python3.13/site-packages/installer/__main__.py", line 98, in <module>
_main(sys.argv[1:], "python -m installer")
~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/builder/shared-workdir/build/sdk/staging_dir/hostpkg/lib/python3.13/site-packages/installer/__main__.py", line 86, in _main
with WheelFile.open(args.wheel) as source:
~~~~~~~~~~~~~~^^^^^^^^^^^^
File "/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a53_musl/usr/lib/python3.13/contextlib.py", line 141, in __enter__
return next(self.gen)
File "/builder/shared-workdir/build/sdk/staging_dir/hostpkg/lib/python3.13/site-packages/installer/sources.py", line 162, in open
with zipfile.ZipFile(path) as f:
~~~~~~~~~~~~~~~^^^^^^
File "/builder/shared-workdir/build/sdk/staging_dir/target-aarch64_cortex-a53_musl/usr/lib/python3.13/zipfile/__init__.py", line 1367, in __init__
self.fp = io.open(file, filemode)
~~~~~~~^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/builder/shared-workdir/build/sdk/build_dir/target-aarch64_cortex-a53_musl/pypi/Radicale-2.1.12//openwrt-build/Radicale-2.1.12-*.whl'
```
This occurred due to PEP 625, which requires wheel filenames in lowercase.
The local build produces lowercase-compliant names (radicale-2.1.12-*.whl),
but the script searches for uppercase (Radicale-2.1.12-*.whl).
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Radicale is a small but powerful CalDAV (calendars, to-do lists) and
CardDAV (contacts) server.
This package provides the latest 3.x series, which succeeds radicale2.
This is replacament for recently dropped radicale2 and radicale1.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* bump binary to 2025.12.29 with support for -S
* update README and delete README in files/
* bugfix: properly load global option for `force_ipv6_resolvers`
* add global and per-instance `source_addr` option
Thanks to @karl82 for adding source_addr support upstream.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
libteam is a userspace tool to configure Linux network teaming.
This consists of 5 packages:
- libteam.so is a wrapper library to interface the Team Netlink API.
- teamd is a service/daemon to control a team netdev using the libteam library.
- teamdctl is a utility to alter teamd configuration at runtime.
- libteamdctl.so is a library used by teamdctl.
- teamnl is a utility mainly for debugging.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
The headers apparently changed in 1.90 from 1.89 and the
definition for BOOST_STATIC_ASSERT() needs to be brought
in explicitly from <boost/static_assert.hpp> which wasn't
previously the case.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Makefile:
* nicer DEPENDS
Init Script:
* ensure resolver config is reverted and resolver is restarted on
service fail
Signed-off-by: Stan Grishin <stangri@melmac.ca>
acme 3.1.2 added a new --cert-profile option to request specific certificates.
This makes it possible to request shortlived six day certificates from Letsencrypt.
Signed-off-by: Norman Gehrsitz <openwrt@gehrsitz.eu>
If libxdp is built before tcpreplay, it will pick it up.
So, might as well just add it as a dependency (for now).
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
- Add coredns package 1.13.2
- Make wgsd-coredns package transitional to coredns with wgsd plugin enabled
- Make coredns plugin list configurable, disable heavy plugins by
default and add wgsd plugin
- Place the service into ujail
- Add netbox plugin
Co-authored-by: Tianling Shen <cnsztl@gmail.com>
Signed-off-by: Vladimir Ermakov <vooon341@gmail.com>
Dependencies for plugin authn_gssapi, authn_ldap, authn_pam, authn_dbi
and authn_sasl are not correctly written.
This cause lighttpd package to always compile krb5-libs, libopenldap and
libpam, even if not selected
Before the fix:
grep -e libpam -e krb5-libs -e libopenldap .config
\# CONFIG_PACKAGE_libpam is not set
\# CONFIG_PACKAGE_libopenldap is not set
\# CONFIG_PACKAGE_krb5-libs is not set
make | grep -e libpam -e krb5 -e ldap
make[3] -C feeds/packages/net/krb5 compile
make[3] -C feeds/packages/libs/libpam compile
make[3] -C feeds/packages/libs/openldap compile
With the fix:
make | grep -e libpam -e krb5 -e ldap
"nothing compiled"
Check that fix works when mod-authn tokens are
selected (select lighttpd-mod-authn_xxx):
grep lighttpd-mod-authn .config
CONFIG_PACKAGE_lighttpd-mod-authn_file=y
CONFIG_PACKAGE_lighttpd-mod-authn_gssapi=m
CONFIG_PACKAGE_lighttpd-mod-authn_ldap=m
CONFIG_PACKAGE_lighttpd-mod-authn_pam=y
make | grep -e libpam -e krb5 -e ldap
make[3] -C feeds/packages/net/krb5 compile
make[3] -C feeds/packages/libs/libpam compile
make[3] -C feeds/packages/libs/openldap compile
x-ref:
"lighttpd: Malformed dependencies cause unselected packages to be compiled"
https://github.com/openwrt/packages/pull/28157
github: closes#28157
Signed-off-by: Alarcon Laurent <laurent.alarcon@sagemcom.com>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Sort EXTRA_DEPENDS after DEPENDS and remove whitespace in the version requirement.
Fixes missing version during building:
```
uspot fused dependencies: ucode (>=, libc,..
uspotfilter fused dependencies: ucode (>=, libc,...
```
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Obsolete use of $(SDK) in configure conditionals can result in
dependency errors when building a subset of packages for packages which
have multiple sub-packages.
The reason it causes dependency issues is that (using libdbi-drivers as
an example) lines like:
ifneq ($(SDK)$(CONFIG_PACKAGE_libdbd-sqlite3),)
always evaluate to true if you are compiling in the SDK. So for a user
compiling from the SDK, the configure arguments are always added to the package build.
In the case of libdbi-drivers:
CONFIGURE_ARGS += \
--with-sqlite3 \
--with-sqlite3-incdir=$(STAGING_DIR)/usr/include \
-with-sqlite3-libdir=$(STAGING_DIR)/usr/lib
is always added even if PACKAGE_libdbd-sqlite3 is deselected. When
libdbd-sqlite3 is deselected, this dependency:
DEPENDS:=libdbi +libsqlite3
is not present, so when configure tries to find sqlite3 it fails.
Closes#28173 "tree-wide: obsolete $(SDK) in conditionals"
See also:
* "include: remove SDK exception from package install targets"
openwrt/openwrt@28f44a4
Performed tree-wide to ease revert if necessary, per:
https://github.com/openwrt/packages/issues/28173#issuecomment-3694615980
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
Since compiling tcpbridge requires linking libbpf.so.1, compiling tcpbridge first may result in compilation failure, like:
Package tcpbridge is missing dependencies for the following libraries: libbpf.so.1
The simplest way to solve it is to add libbpf dependency in Makefile
Signed-off-by: TeleostNaCl Dai <teleostnacl@gmail.com>
commit ea66e463cf added a new config
option LIBCURL_HTTP_AUTH to enable or disable HTTP_AUTH support in
cURL. It defaulted the option to n (disabled).
However, prior to this change HTTP_AUTH was enabled for cURL, as the
configure script defaults to HTTP_AUTH enabled when it is not
explicitly disabled.
This impacts any consumer of cURL that uses HTTP_AUTH, including
authentication by username and password in the URL. (Confirmed via
run testing).
So we set the default for the option to y (enabled).
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
nginx modules must not provide nginx which causes them to not be able
to be installed alongside nginx due to the new apk provide fixes.
Remove PROVIDES from modules.
Remove nginx-ssl from PROVIDES as there is no non-ssl variant, i.e. all
version provide ssl.
Set nginx-ssl as the default variant.
Remove non-existent config value.
Signed-off-by: George Sapkin <george@sapk.in>
- Update daemon to 2.3.9 to fix removal of nftables rules in
`upnp_forward` and return the correct internal port; also resulted in
the excessive opening of new ports. Accept interface names starting
with digits
- Build from GitHub releases to get a reliable HTTPS server, as the
HTTP-only/HTTPS mirror were only available ~85%/77% over 3 months
https://redirect.github.com/miniupnp/miniupnp/issues/770https://stats.uptimerobot.com/DwGDxUB914
- Build daemon with `--disable-pppconn` to remove the old/IGDv1-only
extra WANPPPConnection SSDP announcements workaround not included in
other implementations since >15y
- Build daemon with `--vendorcfg` to allow customisation of the
router/friendly name (+5 potential options) displayed in Windows
Explorer, 384 bytes extra required on ARMv7 (binary)
- Remove old (iptables variant only) patches, as no longer needed
- Remove `clean_ruleset_interval/threshold` UCI config options as not
standard/working since OpenWrt 22.03, as nftables not supported
Fixes: https://github.com/openwrt/openwrt/issues/18011
Fixes: https://github.com/openwrt/luci/issues/7759
Fixes: https://github.com/openwrt/packages/issues/26352
Signed-off-by: Self-Hosting-Group <selfhostinggroup-git+openwrt@shost.ing>
[update fixes tag]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
