Changes since 4.0.0:
- Add Zstandard decompression support for compressed web content
- Improve WolfSSL compatibility and SSL host name validation
- Improve IPv6 address support and Connection header handling
- Drop legacy pcre1 support; PCRE2 is now required
- Fix multiple memory leaks and socket leaks
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes since 26.1:
- Add SSL/TLS certificate validation for server-server links by default
(new SSLVerify option to disable)
- Add systemd sd_notify protocol support
- Add Autojoin option for automatic channel joining on connect
- Automatically maximize file descriptor limit at startup
- Add Docker/container documentation and Dockerfile
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes since 2.2.8:
- Fix crash related to FD_SET and socket timeout handling
- Fix build_absolute_url when if_indextoname() returns NULL
- Add support for C23 and glibc 2.43 string function signatures
- Improve poll() usage and C++ compiler compatibility
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Fixes symlink traversal vulnerability (CVE-2025-26625) that allowed
writing files outside the repository on checkout/pull.
Other changes since 3.5.1:
- Add --refetch option to force re-download of LFS objects
- Add --json and --dry-run options for fetch operations
- Improve .netrc handling on Windows and macOS root CA support
- Upgrade to Go 1.25 (requires Linux kernel 3.2+)
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The package is not actively-maintained and doesn't compile with modern
Protobuf. Switch it to compat version.
Signed-off-by: George Sapkin <george@sapk.in>
The package is not actively-maintained and doesn't compile with modern
Protobuf. Switch it to compat version.
Signed-off-by: George Sapkin <george@sapk.in>
Switch mosh to -std=c++17 to fix compilation with newer Protobuf.
Link with libatomic necessary for MIPS and PowerPC.
Signed-off-by: George Sapkin <george@sapk.in>
Update bsbf-resources to the GIT HEAD of 2026-05-11.
- Do not add more than 8 WANs with files/etc/uci-defaults/99-bsbf-bonding.
- resources-client/bsbf_bonding.nft now destroys the bsbf_bonding table
before adding it. Therefore, no need to delete the table anymore. And use
the destroy command to successfully exit even when the table doesn't exist.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
Add the network entries that bsbf-autoconf-cellular and bsbf-autoconf-dhcp
create, to the firewall wan zone.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
Bug-fix release. Fixes 20+ bugs and includes some performance
improvements. All users are encouraged to upgrade.
Highlights (all platforms):
* Fixed a 4.1.0 bug that failed to report some filesystem errors
to RPC clients querying free space.
* Fixed a 4.1.0 bug that kept a torrent's updated queue position
from being shown.
* Fixed a 4.1.0 bug that caused torrents' queuing order to
sometimes be lost between sessions.
* Hardened .torrent parsing by exiting sooner if 'pieces' has
an invalid size.
* Reverted a 4.1.0 RPC change that broke some 3rd party code by
returning floats rather than integers for speed limit fields.
* Fixed crash when pausing a torrent and editing its tracker
list at the same time.
* Fixed 4.1.0 crash on arm32 by switching crc32 libraries to
Mark Adler's crcany.
* Require UTF-8 filenames in .torrent files (per BitTorrent spec).
* Fixed crash when parsing a .torrent file with a bad 'pieces' key.
* Fixed potential fd leak when launching scripts on POSIX systems.
* Changed network traffic algorithm to spread bandwidth more
evenly amongst peers.
Link: https://github.com/transmission/transmission/releases/tag/4.1.1
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
- added opt-in protection against access points with locally-administered (LAA) BSSIDs
- added a special trm_maxretry value '0', enabling unlimited connection retries
- removed obsolete connection-tracking functions (too many uci updates/flash wear)
- all runtime files now live under a single /var/run/travelmate/ directory
- various code cleanups & fixes
- LuCI: made the new UCI option 'trm_eviltwin' available
- LuCI: more cleanups
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
mptcpd is the only consumer of libell; bump PKG_RELEASE so the
package is rebuilt against ell 0.83 once that update lands.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, release 3
- update PKG_RELEASE to 3
files/etc/init.d/https-dns-proxy:
- refactor nftable rules to explicitly add and flush the table and
chains instead of block replacement
- make nftable `delete table` call silent in `notrack_nft remove`
- update `notrack_nft remove` to check for absence of nftable table
instead of just checking the file
- ensure `notrack_nft remove` sets _error=1 on failure
- ignore dnsmasq instances with port 0 in
`dnsmasq_instance_append_force_dns_port`
tests/run_tests.sh:
- add test case to ensure dnsmasq port 0 is ignored
- update `notrack_nft remove` test to confirm success when both file
and table are absent
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: Rob White rob@blue-wave.net
Compile tested: All
Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, mips_24kc,
aarch64_cortex-a53; On 24.10, 25.12 and master/snapshot.
Description: wifi-chipset-detect (1.0.0)
This is a new package that reports in json format the chipset
and driver capabilities of installed wireless hardware.
Developed originally for use where Captive Portal
and Mesh Backhaul networks are being built.
It provides a stand alone script to detect details of the physical
wireless hardware without requiring the radios to be enabled.
There are no dependencies over and above the basic OpenWrt flash image.
It is based on functionality built into the OpenNDS and Mesh11sd packages.
The json formatted output is displayed on the terminal screen.
It is also written to the file /tmp/wifidetect.
This version does not require the Captive Portal
or Mesh network to be running.
Full details can be seen here:
https://github.com/openNDS/wifi-chipset-detect
Signed-off-by: Rob White <rob@blue-wave.net>
Update bsbf-resources to the GIT HEAD of 2026-05-06.
- Remove bsbf-route as bsbf-mptcp now includes the functionality it
provides.
- Remove bsbf-plpmtu as that functionality is now provided with the
plp-mtu-discovery package.
- Remove bsbf-tcp-in-udp as it's not a production-ready solution as it is.
- Add bsbf-client-web.
- Update the dependencies of bsbf-mptcp to curl, fping, ip-full, and
mptcpize.
- Remove files/etc/config/bsbf-mptcp as that functionality is now provided
using the /etc/bsbf/bsbf-mptcp-subflow-backup file.
- Remove files/etc/hotplug.d/iface/99-bsbf-mptcp as that functionality is
now provided by the bsbf-mptcp service.
- Update the dependencies of bsbf-bonding to bsbf-client-web, bsbf-mptcp,
bsbf-rate-limiting, and xray-core.
- Get rid of fw4 dependency and 99-bsbf-bonding.nft in favour of
resources-client/bsbf_bonding.nft. Add a oneshot service to apply it at
boot.
- Move from bsbf-openwrt-resources to bsbf-resources directory as we now
install resources-client/xray.json and resources-client/bsbf_bonding.nft.
- Add the bsbf-bonding command.
- Run `bsbf-bonding --enable` at the end on the uci-defaults script.
- Add the tc package as a dependency for bsbf-rate-limiting.
Fixes: https://github.com/openwrt/packages/issues/29306
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
The current check would match a uci device section that doesn't say if the
interface is a bridge. Check that the type option is bridge to address
this.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
Fix nftables rule directory creation
- Bump PKG_RELEASE to 2.
files/etc/init.d/https-dns-proxy:
- Add 'mkdir -p' before writing nftables rules to ensure the parent
directory exists. This fixes an issue where the directory might not
exist on initial installation, causing errors.
tests/run_tests.sh:
- Add comprehensive regression tests for notrack_nft.
- Mock 'nft' to track invocations and control return codes for testing.
- Patch 'NOTRACK_NFT_FILE' to a test-specific path for isolated testing.
- Verify 'notrack_nft' correctly creates the parent directory if missing.
- Test content of generated nftables snippet, idempotence, and removal.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
unbound-control-setup is a shell script that generates TLS certificates
for unbound-control; it does not print a version string. The generic CI
test framework cannot verify the version via the binary, causing the
"No executables in the package provided version" failure.
Add a package-specific test.sh that:
- tests unbound-daemon version via 'unbound -V' and config file presence
- tests libunbound shared library presence
- tests unbound-anchor/-checkconf/-control/-host binaries run and
respond to -h without starting the daemon
- tests unbound-control-setup as an installed, executable shell script
containing expected keywords (no version check)
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update from 6.11 to 7.5. Notable changes across releases:
- 7.5: fix cifscreds command-line option parsing and ambiguous command
matching; documentation updates for echo_interval parameter
- 7.4: retry logic for -EINPROGRESS errors during mount operations;
improved handling for multiple IP address resolution scenarios
- 7.3: fix guest mount option handling; prevent empty password
parameters from being passed to the SMB client
- 7.2: improve return code checking in getcifsacl; better handling of
permission-related errors across different kernel versions
- 7.1: add upcall_target mount option for namespace resolution; enable
credential lookups in host or application namespace (e.g., Kubernetes)
- 7.0: migrate files to /usr per DEP17 M2 standard
- 6.15: fix CVE-2022-27239 (stack buffer overflow in ip= argument
parsing) and CVE-2022-29869 (info leak in verbose logging)
Add libtalloc dependency to cifsmount
Add test.sh to verify mount.cifs and smbinfo report the correct version.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
* Version 1.4.1 (released 2026-02-28)
- [SECURITY] Fixed authentication bypass (medium severity) when using
certificate authentication with cert-user-oid set to SAN(rfc822name):
a client presenting a valid CA-signed certificate without the expected
RFC822 SAN field could authenticate using password credentials alone,
bypassing the intended certificate-to-username binding. Requires the
attacker to possess both a valid CA-signed certificate and valid user
credentials (694)
- The bundled inih was updated to r62.
- The bundled protobuf-c was updated to 1.5.2.
- Fixed a bug where session timeout could be bypassed by reconnecting
(e.g., closing/opening laptop lid) (599)
- occtl: 'show user' command now includes a 'Session started at:' field,
indicating when the VPN session was established
- occtl: Fix column misalignment in ban command outputs
- occtl: Fix 'show ip bans' may produce invalid JSON (683)
- Handle dotted client hostnames (e.g., .local) by stripping the domain suffix
- Renamed `min-reauth-time` configuration option to `ban-time` to better reflect
its purpose (676). This option defines the duration (in seconds) for which
an IP address is banned after exceeding the maximum allowed `max-ban-score`.
Default is 300 seconds (5 minutes).
- Fixed ocserv-worker process title
- Fixed ignored udp-port in vhost (612)
* Version 1.4.0 (released 2026-01-04)
- The bundled llhtp was updated to 9.3.0.
- The bundled protobuf-c was updated to 1.5.1.
- Fixed issues with PAM authentication when combined with pam_sssd (618)
- Enhanced the seccomp filters to address issue in testing (627)
- Fixed "unexpected URL" errors for Cisco AnyConnect clients
- Fixed the 'ping-leases' option, which was broken since version 1.1.1
- Fixed maximum MTU tracking in server statistics
- Fixed 'iroute' option processing to handle multiple routes (625)
- Fixed session accounting for roaming users (674)
- occtl: fix invalid JSON output in `occtl -j show iroutes` (661)
- occtl: fix regression with trailing commas in `occtl -j show sessions` (669)
- occtl: fix missing column headers in 'show ip bans' output (677)
- occtl: 'show ip bans' no longer shows expired bans (675)
- Fixed DTLS not working with systemd socket activation (647)
- Fixed a bug in the ban timer logic that could prevent IP addresses
from being banned or cause premature unbans (678)
- Session statistics are now reported at consistent intervals
for RADIUS compatibility (630)
- Single form to enter username and password (551)
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
mod_s2s was refactored into a single mod_s2s.lua in the flat modules
directory in 0.12.x; remove the obsolete subdirectory install rule that
caused the package build to fail.
Also add util/human/ and util/prosodyctl/ which are new subdirectories
in 0.12.x not covered by the previous install rules.
Force libidn instead of ICU for stringprep
prosody's configure script auto-detects stringprep backends and prefers
ICU when available, generating -DUSE_STRINGPREP_ICU and including
<unicode/usprep.h>. The OpenWrt SDK staging directory does not provide
ICU development headers, so the build fails with:
encodings.c:271:10: fatal error: unicode/usprep.h: No such file or directory
The Makefile DEPENDS already declares +libidn. Pass --with-idn=idn to
explicitly select the libidn backend, which is available in the staging
directory.
Also, pass TARGET="../util/" to MAKE_FLAGS. OpenWrt has it's own TARGET
env var which clobbers the 'TARGET' var from prosody's build (specified
as 'TARGET?=../util/')
Adding a test.sh to check for the correct version (since prosody mostly
has lua scripts).
Security release addressing multiple vulnerabilities. 0.12.6 is
likely the last release of the 0.12.x series (EOL June 2026).
Upstream advisory: https://prosody.im/security/
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
On master, updater help and missing-option text still refer to '-N'.
Use '-S' instead so the messages match accepted script options.
Also clarify that SECTION is the UCI section name/id to start.
This is a text-only change; runtime behavior is unchanged.
Bump PKG_RELEASE to 4.
Fixes: #27737
Signed-off-by: Dharmik Parmar <dharmikparmar2004@yahoo.com>
- optimized pidfile handling in the init file
- small cornercase fixes & improvements
- drop deprecated 'drop' feed (replaced by 'spamhaus' json feed with the same content)
- LuCI: expose the new JSON Lines Format in the feed editor
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit was merged into the master branch by accident
and should be undone. Adding ujail as a hardcoded dependency
is incorrect, as ujail is meant to be an optional dependency.
A better approach is to implement ujail support within
the init script, which was discussed in the pull request
(https://github.com/openwrt/packages/pull/29277),
consistent with how other packages in the repository handle this.
Therefore, reverting for now.
This reverts commit e6b5141c7e.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Use cp instead of install when installing libraries to not follow
symlinks and create duplicate files.
Fixes: aa89f847 ("mosquitto: update to 2.0.18")
Signed-off-by: George Sapkin <george@sapk.in>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, improve nftables rules
- Update PKG_VERSION to 2026.03.18.
- Set PKG_RELEASE to 1.
- Update PKG_SOURCE_VERSION to 801881210ba8215dc9cd577222d8c10372423360.
- Update PKG_MIRROR_HASH to 4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce.
files/etc/init.d/https-dns-proxy:
- Wrap the notrack chain in its own `inet https_dns_proxy_notrack`
table. A top-level `chain` outside any table is invalid nftables
syntax and is rejected on kernel 6.18+, breaking firewall load.
Fixesmossdef-org/https-dns-proxy#7.
- Syntax-check the generated snippet with `nft -c -f` after write
and report OK/FAIL on the start path.
- On remove, explicitly `nft delete table` in addition to removing
the snippet file, so the live ruleset is cleaned up immediately
rather than waiting for the next fw4 reload.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
In order to create a proper jail, we net the procd-ujail package.
Otherwise, AdGuardHome will run as unprivileged process,
and will not be able to listen on ports below 1024.
Signed-off-by: Alexander Krause <alexander.krause@cs.tu-dortmund.de>
- introduced a shared named nft limit (loglimit) referenced by
all log rules instead of per-rule limits, aligning with kernel printk rate limits
- added new 'ban_logratelimit' and 'ban_logburstlimit' UCI options for tuning
the shared log limit; setting ban_logratelimit=0 disables nft-side rate limiting
entirely (useful for ulogd or other userspace log handlers that bypass printk)
- LuCI: made the new UCI option available (Log Settings)
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
wgsd (WireGuard Service Discovery plugin) pulls in
golang.zx2c4.com/wireguard/wgctrl -> mdlayher/genetlink v1.2.0 ->
mdlayher/netlink v1.6.2. This version of netlink calls
mdlayher/socket's Sendmsg/Recvmsg with the old API signatures
(pre-context.Context, single-return-value Sendmsg), but coredns
itself requires mdlayher/socket v0.5.1 which changed these
signatures to include context.Context and return (int, error).
Add a go get step that upgrades netlink to v1.7.2 after the wgsd
plugin dependencies are pulled in, ensuring the build uses a
netlink version compatible with socket v0.5.x.
Should fix:
https://downloads.openwrt.org/snapshots/faillogs/i386_pentium-mmx/packages/coredns/compile.txt
```
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:35: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:33: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:127:42: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:142:41: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
github.com/aws/aws-sdk-go-v2/aws/protocol/query
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
github.com/aws/smithy-go/private/requestcompression
```
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Alexandru Ardelean