This was changed in version 0.3.1 [1]
Fixes initial start of umurmur:
```
root@turris:~# umurmurd
Error in config file /etc/umurmur/umurmur.conf line 0: file I/O error
```
And also while running help of umurmurd, the defailt location is /etc/umurmur/umurmur.conf
```
Usage: umurmurd [-d] [-r] [-h] [-p <pidfile>] [-t] [-c <conf file>] [-a <addr>] [-b <port>]
-c <conf file> - Specify configuration file (default /etc/umurmur/umurmur.conf)
```
[1] https://github.com/umurmur/umurmur/commit/4f3ed41357bb6fcb7afddd5343b59cfef54d65a4
Fixes: c4a23ca996 ("umurmur: update to version 0.3.1")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 3d6be64ea3)
Fixes the following security issues:
- CVE-2025-8677: DNSSEC validation fails if matching but invalid
DNSKEY is found.
- CVE-2025-40778 Address various spoofing attacks.
- CVE-2025-40780 Cache-poisoning due to weak pseudo-random number
generator.
The complete list of changes from version 9.20.11 is available in the
upstream changelog at
https://ftp.isc.org/isc/bind9/9.20.15/doc/arm/html/changelog.html
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit 59465b95b8)
After reinstalling the packages with the preserved configuration files
after a sysupgrade, the reinstalled package config files overwrite what
is on disk rather than being placed as conf-opkg. Defining these config
files will preserve them appropriately.
Signed-off-by: Joel Low <joel@joelsplace.sg>
(cherry picked from commit 03088536db)
UCI plugin in strongswan has been broken for years, and now its causing
strongswan to fail compilation.
So, instead of the whole strongswan package to be failing and missing from
feeds simply make UCI plug depend on @BROKEN.
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit a8c89a0c77)
Major change is:
- set server signing to auto by default.
In recent versions of Windows 11, server signing is required.
However, server signing is disabled by default in ksmbd server.
So It is recommended to set server signing = auto as default,
so that it is used whenever it is required.
Signed-off-by: Andrea Pesaresi <andreapesaresi82@gmail.com>
(cherry picked from commit a7d51c511c)
Now for all devices with every size of RAM it is set to:
`smb2 max read = 64K`
`smb2 max write = 64K`
`smb2 max trans = 64K`
Instead of fixed value to 64K is better to check RAM size and adjust to:
32 ~ 64MB RAM, set the value to 64K
64 ~ 128MB, set it to 128KB
128 ~ 256MB, set it to 1MB
More than 256MB leave default size to 4MB
With 64MB and 128MB is better also to disable the read/write cache
`cache read buffers = no`
`cache write buffers = no`
Signed-off-by: Andrea Pesaresi <andreapesaresi82@gmail.com>
(cherry picked from commit 0ca4794564)
- fix a logical glitch in opensta-handling
- add a list option 'trm_ssidfilter' to maintain a list of SSID patterns
for filtering/skipping specific open uplinks, e.g. 'Chromecast*' (fix#26406)
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 65b935cb58)
ZNC can modify its own config file (znc.conf) during runtime, for
example using controlpanel or webadmin modules. Manually editing the
znc.conf file while znc is running is strongly discouraged.
Thus prodc should not watch this file, it would just lead to znc being
restarted unnecessarily.
As it happens, no restarts were done, because the watched path was
specified incorrectly. It used ZNC_CONFIG instead of ZNC_CONFIG_DIR,
and so it watched /tmp/etc/znc/configs/znc.conf/configs/znc.conf which
does not exist.
Remove the watch of znc.conf as it is not needed.
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
(cherry picked from commit 00feb12444)
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
- add a new lan/wan subnet check, to to show conflicts with router LAN network
- clean up bogus debug log outputs
- minor code clean ups
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit a38196f151)
- drop iwinfo, use iw/ip instead
- support passive wlan scanning (active scanning is still the default)
- drop qrencode, use the LuCI internal qrcode js library instead
- more vpn fixes
- various LuCI changes/enhancements
- fix#27599
- disable proactive scanning in the default config
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit a46dd4cf3c)
* bugfix: remove IPKG_INSTROOT check
* bugfix: do not attempt to download config update if package is disabled
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit a7f831b846)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Makefile:
* stop shipping/dealing with the firewall hotplug (obsolete)
* install a third user-script (dnsprefetch) by @betonmischer
Config:
* remove obsolete options
* include the new user script
Init-script:
* start much earlier so that on boot, the procd_add_raw_trigger works on all systems
* create a ubus() helper function so that service delete does not produce "Command not found"
* rename options to better reflect their function:
* procd_lan_device to lan_device
* procd_wan_interface to uplink_interface
* procd_wan6_interface to uplink_interface6
* procd_wan6_metric to uplink_interface6_metric
* wan_ip_rules_priority to uplink_ip_rules_priority
* wan_mark to uplink_mark
* visually separate run-time variables from variables loaded from config options
* use ${IPKG_INSTROOT} when sourcing files
* fix typo in str_to_dnsmasq_nftset()
* use pidof to kill dnsmasq in dnsmasq_kill()
* add helper function uci_add_list_if_new()
* add helper function uci_changes()
* add helper function ubus() so that service delete does not produce "Command not found"
* implement the dnsmasq features check similar to dnsmasq init script
* add get_url() function similar to luci package
* add/modify error and warning messages
* change how mktemp is used for more reliable file creation
* unset non-true boolean package config options on load for easier checks later
* improve handling of nft/nft set options
* fewer calls to resolver() and resolver() optimization to speed up the service
* use softlinks instead of duplicating dnsmasq nftset files into each instance
* prevent duplication of dnsmasq nftset elements
* option to target a specific dest dns port in DNS policies
* bugfix: more reliable interface reloads
* display README links to errors/warnings sections if any errors/warnings discovered
Uci-defaults:
* transition from old options to new ones
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit f0f8dc0fce)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Config/uci files were not being included in -full variant.
Config files were also being lost in firmware upgrades for all variants.
Both issues fixed, including correct file permissions for config files.
Signed-off-by: Antonio Pastor <antonio.pastor@gmail.com>
(cherry picked from commit 0d939af403)
The libtirpc package is only needed when building with musl, as glibc
includes the required RPC functionality. This change makes libtirpc a
conditional dependency and adjusts the build flags accordingly.
Building with x86_64-glibc:
...
Feature options:
DAQ Modules: Dynamic
libatomic: User-specified
Hyperscan: ON
ICONV: ON
Libunwind: OFF
LZMA: ON
RPC DB: Built-in
SafeC: OFF
TCMalloc: ON
JEMalloc: OFF
UUID: ON
NUMA: OFF
LibML: OFF
...
Building with aarch64_cortex-a76_musl:
...
Feature options:
DAQ Modules: Dynamic
libatomic: User-specified
Hyperscan: ON
ICONV: ON
Libunwind: OFF
LZMA: ON
RPC DB: TIRPC
SafeC: OFF
TCMalloc: ON
JEMalloc: OFF
UUID: ON
NUMA: OFF
LibML: OFF
...
Build system: x86/64
Build-tested: x86/64-glibc, bcm27flogic/xiaomi_redmi-router-ax6000-ubootmod (for musl)
Run-tested: x86/64-glibc
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit e4bdefe1c2)
This simplifies checks enabling/disabling features, if packages are present
instead of having checks for specific architectures.
TCMALLOC_LIBRARIES is removed as it's auto-detected, unlike vectorscan
which requires explicit HS_INCLUDE_DIRS.
Fixes: 126364e105 ("snort3: refactor architecture-specific dependencies and CMake options")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 02f78bc30a)
Makefile:
* update to latest upstream: https://github.com/aarond10/https_dns_proxy/commit/7b27ecd5598d03bbe79651cc80efca886d433cd9
* update version, release
* drop CONFIGURE_ARGS as the build is curl-independent
* update the link to the documentation
README:
* add small README with the link to documentation
Config:
* rename procd_fw_src_interfaces to force_dns_src_interface to better reflect meaning
* add heartbeat_domain, heartbeat_sleep_timeout, heartbeat_wait_timeout options
* add default user, group and listen_addr options to the main config
* drop the user, group and listen_addr options from the instance configs
Init-script:
* start much earlier so that on boot, the procd_add_raw_trigger works on all systems
* create a ubus() helper function so that service delete does not produce "Command not found"
* new options handling where the global config options can be used for instance options
* some renaming of global/instance variables due to abovementioned redesign
* new open port detection, no longer relying on netstat
* new uci_changes() logic where it returns 0 or 1 instead of text
* new append_parm logic for not adding default value options to CLI
* new boolean options handling logic
* move config loading to load_package_config() function
* new logic for calling procd_set_config_changed firewall based solely on "$force_dns"
* source network.sh based on "${IPKG_INSTROOT}" path
* rename procd_fw_src_interfaces to force_dns_src_interface to better reflect meaning
* rename use_http1 to force_http1
* rename use_ipv6_resolvers_only to force_ipv6_resolvers
Uci-defaults:
* migrate to new option names
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit e1cf4ac52e)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
1. Enabled hyperscan/vectorscan together with adding dependency only for x86_64 and aarch64.
2. Disabled tmalloc (from gperftools package) for powerpc and mips.
By doing this refactor, snort3 is going to be available for more OpenWrt devices
(as it was in the past) as currently it was compiled only for x86_x64 and aarch64 by mistake.
Fixes: 257e2fc38a ("snort3: fix logic in gpertools-runtime depends")
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 126364e105)
[For OpenWrt 24.10: There is hyperscan instead of vectorscan]
Config file:
* add debug_init_script and debug_performance options
* remove led (default should be empty) option
* remove procd_boot_delay (obsolete) option
Init Script:
* reinstate IPKG_INSTROOT check
* change capitalization in status messages
* unset default value for led option on load_package_config
* bugfix: unset bool options which are later checked for non-empty
* bugfix: create compressed cache only if block-file exists
* adjust errors output/storing errors for later display in multuple cases
* produce information about cache/compressed cache files in service
status output when service is stopped
* attempt to create compressed cache in service_started only if block-
file exists
* bugfix: run service_started from the dl command (to create compressed
cache file)
* rename StripToDomains variables for readability
* improve open port detection
Uci-Defaults:
* improve readability of debug options migration
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit ff2a55441d)
Simplification of Makefile: remove line splits to increase readability.
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 87d0da8aa2)
Use upstream tarballs for source rather than using git. If we ever need
to build from git we can cherry pick and make a patch. This gives a
cleaner Makefile and faster build.
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 8914929466)
Run the daemon as unprivileged user for better security.
Trim whitespaces while at it.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 182db0ac04)
Although recent updates were made, the `PKG_RELEASE` bump was missed.
Signed-off-by: Wesley Gimenes <wehagy@proton.me>
(cherry picked from commit 7c88f998e5)
Signed-off-by: Sander van Deijck <sander@vandeijck.com>
OpenVPN does work without the kernel module, it just won't be able to use DCO.
To make life easier for OpenVPN users on very space-constrained devices make it
an optional dependency.
Signed-off-by: Dennis Camera <dennis.camera+openwrt@riiengineering.ch>
(cherry picked from commit 01fafd69ef)
Signed-off-by: Sander van Deijck <sander@vandeijck.com>
Enable the DCO option by default in the openvpn package to allow for
better performance and have a use case for kmod-ovpn-dco-v2 :-)
Signed-off-by: Dennis Camera <dennis.camera+openwrt@riiengineering.ch>
(cherry picked from commit 11e17a3ed6)
Signed-off-by: Sander van Deijck <sander@vandeijck.com>
Makefile changes
----------------
1. The location of uMurmur binary was changed to /sbin
in release 0.3.1. See release notes [1]
2. I need to specify location of the library file instead of
the directory.
Fixes:
CMake Warning at src/CMakeLists.txt:44 (target_link_libraries):
Target "umurmurd" requests linking to directory
"/build/staging_dir/target-powerpc_8548_musl/usr/lib".
Targets may link only to libraries. CMake is dropping the item.
CMake Warning at src/CMakeLists.txt:44 (target_link_libraries):
Target "umurmurd" requests linking to directory
"/build/staging_dir/target-powerpc_8548_musl/usr/lib".
Targets may link only to libraries. CMake is dropping the item.
Because of these two warnings, the build fails with
undefined references to
protobuf-c symbols (e.g. protobuf_c_message_get_packed_size).
Patches
-------
Removed all of them, because they are included in
the upstream source code.
[1] https://github.com/umurmur/umurmur/releases/tag/v0.3.1
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit c4a23ca996)
fail2ban changes:
- nftables support (iptables dependency removed)
- python3 support (old package patches removed)
- Upstream patches backports:
- filter.d/dropbear.conf: failregex extended to match different format of "Exit before auth" message
- cherry-pick from debian: debian default banactions are nftables, systemd backend for sshd
- Removed unresponsive/unreachable maintainer.
Fixes: https://github.com/openwrt/packages/issues/23015 ("fail2ban: very old version")
Signed-off-by: Andrey Zotikov <andrey.zotikov@gmail.com>
(cherry picked from commit 2a202b2091)
The /etc/tor/torrc may contain the line:
%include /etc/torrc.d/*.conf
So users may put their own config files there.
We should preserve the files during an upgrade.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
[Added PKG_RELEASE bump]
(cherry picked from commit 83737ed9ea)
Josef Schlehofer