* Fix path to fping and use fping as fping6
* For privacy, disable call to public API to check for Zabbix version update
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 2aadd0d97f)
When we updated the zabbix agent to use username zabbix-agent
we neglected to update ubus acls for zabbix-extra-network.
Therefore update the username for the network and wifi acls.
Will close#29058 once backported to 25.12.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 0268b7cbc4)
Ensure consist JSON formatting by using jq --tab . <filename>.json.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 6b555ae5e0)
As noted in #28709 OpenWrt contains CONFIG_
symbols for Zabbix even when no Zabbix package is selected.
This fixes and Closes#28709.
We add a 'guard' symbol for the menus and choices so the only
generate CONFIG symbols when 'Enable Zabbix'
(CONFIG_ZABBIX_ENABLE_ZABBIX) is selected.
We also make all the Zabbix packages depend on this symbol,
for consistency.
This operates much as the pseudo-package solution, but without
a pseudo-package required.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit f0576eb36b)
mod_s2s was refactored into a single mod_s2s.lua in the flat modules
directory in 0.12.x; remove the obsolete subdirectory install rule that
caused the package build to fail.
Also add util/human/ and util/prosodyctl/ which are new subdirectories
in 0.12.x not covered by the previous install rules.
Force libidn instead of ICU for stringprep
prosody's configure script auto-detects stringprep backends and prefers
ICU when available, generating -DUSE_STRINGPREP_ICU and including
<unicode/usprep.h>. The OpenWrt SDK staging directory does not provide
ICU development headers, so the build fails with:
encodings.c:271:10: fatal error: unicode/usprep.h: No such file or directory
The Makefile DEPENDS already declares +libidn. Pass --with-idn=idn to
explicitly select the libidn backend, which is available in the staging
directory.
Also, pass TARGET="../util/" to MAKE_FLAGS. OpenWrt has it's own TARGET
env var which clobbers the 'TARGET' var from prosody's build (specified
as 'TARGET?=../util/')
Adding a test.sh to check for the correct version (since prosody mostly
has lua scripts).
Security release addressing multiple vulnerabilities. 0.12.6 is
likely the last release of the 0.12.x series (EOL June 2026).
Upstream advisory: https://prosody.im/security/
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit 42daa80ffe)
The prosody.im upstream updated the 0.12.4 tarball in-place, changing
its content without bumping the version. Update PKG_HASH to match the
currently published tarball.
Fixes: f4d305b73 ("prosody: update to 0.12.4")
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit bf50291ab1)
Upstream is preparing the migration to a new website. As part of this, they
will be dropping the `www` prefix. Also, the package source is updated to use
mc's official OSU OSL mirror over HTTPS.
Signed-off-by: Yury V. Zaytsev <yury@shurup.com>
(cherry picked from commit 047ac71184)
Use cp instead of install when installing libraries to not follow
symlinks and create duplicate files.
Fixes: aa89f847 ("mosquitto: update to 2.0.18")
Signed-off-by: George Sapkin <george@sapk.in>
(cherry picked from commit cc4f8076d9)
The log file path is hardcoded as $HOME/.local/state/btop.log, i.e. to the router’s flash storage rather than to tmpfs. This patch sets the log file path to /tmp/log/btop.log
Signed-off-by: XCas13 <xcas13@gmail.com>
(cherry picked from commit 7c3e376967)
2026-04-06: Version 7.5.5
* New option --error-binary: Return an error if a
binary file is skipped.
* Fix: dos2unix error on empty input. The problem was introduced
in version 7.5.4.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 6536260c01)
Patch release fixing build system issues with the 2.0.0 release.
2.0.0 introduced API changes including:
* Version macros for detection of incompatible API / version
* size_t as argument to allow longer base64 encoded strings
* Configurable line break functionality
* Flags field for encoder
* Helpers to calculate required output buffer maximum lengths
* Switched in-/out-pointers to void*
Link: https://github.com/libb64/libb64/blob/v2.0.0.1/CHANGELOG.md
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 3650172e26)
Bug-fix release. Fixes 20+ bugs and includes some performance
improvements. All users are encouraged to upgrade.
Highlights (all platforms):
* Fixed a 4.1.0 bug that failed to report some filesystem errors
to RPC clients querying free space.
* Fixed a 4.1.0 bug that kept a torrent's updated queue position
from being shown.
* Fixed a 4.1.0 bug that caused torrents' queuing order to
sometimes be lost between sessions.
* Hardened .torrent parsing by exiting sooner if 'pieces' has
an invalid size.
* Reverted a 4.1.0 RPC change that broke some 3rd party code by
returning floats rather than integers for speed limit fields.
* Fixed crash when pausing a torrent and editing its tracker
list at the same time.
* Fixed 4.1.0 crash on arm32 by switching crc32 libraries to
Mark Adler's crcany.
* Require UTF-8 filenames in .torrent files (per BitTorrent spec).
* Fixed crash when parsing a .torrent file with a bad 'pieces' key.
* Fixed potential fd leak when launching scripts on POSIX systems.
* Changed network traffic algorithm to spread bandwidth more
evenly amongst peers.
Link: https://github.com/transmission/transmission/releases/tag/4.1.1
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4216ad05af)
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, release 3
- update PKG_RELEASE to 3
files/etc/init.d/https-dns-proxy:
- refactor nftable rules to explicitly add and flush the table and
chains instead of block replacement
- make nftable `delete table` call silent in `notrack_nft remove`
- update `notrack_nft remove` to check for absence of nftable table
instead of just checking the file
- ensure `notrack_nft remove` sets _error=1 on failure
- ignore dnsmasq instances with port 0 in
`dnsmasq_instance_append_force_dns_port`
tests/run_tests.sh:
- add test case to ensure dnsmasq port 0 is ignored
- update `notrack_nft remove` test to confirm success when both file
and table are absent
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 4bac71e3cd)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
Fix nftables rule directory creation
- Bump PKG_RELEASE to 2.
files/etc/init.d/https-dns-proxy:
- Add 'mkdir -p' before writing nftables rules to ensure the parent
directory exists. This fixes an issue where the directory might not
exist on initial installation, causing errors.
tests/run_tests.sh:
- Add comprehensive regression tests for notrack_nft.
- Mock 'nft' to track invocations and control return codes for testing.
- Patch 'NOTRACK_NFT_FILE' to a test-specific path for isolated testing.
- Verify 'notrack_nft' correctly creates the parent directory if missing.
- Test content of generated nftables snippet, idempotence, and removal.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 3d9a73bd7e)
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Fixes https://github.com/openwrt/packages/issues/27952
Update avahi from 0.8 to 0.9-rc4. The 0.9 development line accumulates
four years of bug and security fixes since the 0.8 release (2020-02-18).
Notable improvements in 0.9-rc4 over 0.8:
Security (all CVEs previously backported as patches, now removed):
- CVE-2023-38469: reject TXT records whose total rdata exceeds
AVAHI_DNS_RDATA_MAX, preventing heap-buffer reads under crafted mDNS
- CVE-2023-38470: ensure each DNS label is at least one byte, preventing
an infinite loop on malformed packets
- CVE-2023-38471: extract host name via avahi_unescape_label() before
generating an alternative to avoid operating on a raw escaped string
- CVE-2023-38472: check that rdata pointer is non-NULL before passing to
avahi_rdata_parse() from dbus-entry-group
- CVE-2023-38473: derive alternative host name from its unescaped form,
fixing incorrect hostname collision resolution with escaped labels
Bug fixes (previously backported):
- Fix NULL-pointer crashes in avahi_s_*_browser_new() (#175)
- Avoid infinite loop in avahi-daemon simple-protocol by handling
AVAHI_WATCH_HUP event in client_work
- Fix potential undefined behaviour in avahi_dns_packet_consume_uint32:
cast uint8_t operands to uint32_t before shifting
- Fix memory/CPU leak in the simple event loop: cleanup_watches() was
zeroing timeout_req_cleanup instead of watch_req_cleanup, so completed
watches were never removed from the linked list
- Emit D-Bus error reply when avahi-daemon cannot resolve a hostname or
service, rather than crashing with a NULL dereference
- Increase ini-file-parser line buffer from 256 to 1024 bytes to handle
longer configuration values without silent truncation
Other changes:
- P2P tunnel support: IFF_MULTICAST is no longer required for
point-to-point interfaces when allow-point-to-point=yes
- Runtime directory: configure.ac now derives the socket path from
${runstatedir} (defaults to ${localstatedir}/run), so the
explicit patch reverting the /run hardcoding is no longer needed
- Patch 010-pkgconfig.patch (pkgconfig prefix alignment) is retained
as it has not been merged upstream
Dropped patches (all merged upstream):
020-revert-runtime-dir-systemd-change.patch
100-p2p-no-iff_multicast-required.patch
200-Fix-NULL-pointer-crashes-from-175.patch
201-Avoid-infinite-loop-in-avahi-daemon-by-handling-HUP-event.patch
202-avahi_dns_packet_consume_uint32-fix-potential-undefined-b.patch
203-Do-not-disable-timeout-cleanup-on-watch-cleanup.patch
204-Emit-error-if-requested-service-is-not-found.patch
205-conf-file-line-lengths.patch
300-CVE-2023-38469.patch through 304-CVE-2023-38473.patch
Library SONAMES unchanged: libavahi-common.so.3, libavahi-core.so.7,
libavahi-client.so.3 — no reverse dependency rebuilds required.
Disable libsystemd (not available on OpenWrt)
avahi 0.9-rc4 added --enable-libsystemd which defaults to enabled and
fails configure when libsystemd is not found via pkg-config. OpenWrt
does not provide libsystemd; disable it explicitly.
Also pass --with-systemdsystemunitdir=no to suppress the pkg-config
lookup for the systemd unit directory.
Drop po/ subdir from build
The 0.9-rc4 tarball is a raw git archive; po/Makefile.in.in is not
pre-generated as it was in the 0.8 release tarball. autopoint (from
gettext) is needed to install it, but is not available in the OpenWrt
SDK. Since OpenWrt does not use NLS translations, remove po/ from
SUBDIRS in Makefile.am to avoid the missing po/Makefile.in.in error
during configure.
In 0.9-rc4 the D-Bus system.d directory changed from
$(sysconfdir)/dbus-1/system.d to $(datadir)/dbus-1/system.d,
so avahi-dbus.conf is now installed under usr/share/dbus-1/system.d.
Update the install rule source path accordingly; keep the on-device
destination at /etc/dbus-1/system.d for compatibility.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
(cherry picked from commit 24c3026f94)
Rather than having a database selection for SQLITE which prevents
the server or frontend from building, we add a 'basic'
variant for the proxy which uses sqlite3, and have the database
Kconfig affect only the server and frontend.
* There are now only three variants:
1. full, which is the default. It includes the full monitoring feature
set currently available on openwrt, including netsnmp, curl-based
checks, and ldap. In addition these features, plus the choice of
database and ssl provider (or no ssl) are configuration options for
this variant.
2. basic, which provides basic functions with openssl support
3. no-configure, for packages which are not part of the main Zabbix
compile process (including the WebUI which only requires copying
files for use by a web server with PHP CGI support).
* Full is the default variant for agentd and proxy, which are the only
packages with a choice between full and basic. All other packages only
are part of one variant.
* Full variants are the base version of the packages (that is
zabbix-agentd is the 'full' version while zabbix-agentd-basic is the
core version). The proxy version is named zabbix-proxy-basic-sqlite to
announce that it is using the sqlite3 database and not a database
server.
* get and sender only build if at least one of agentd, server, or proxy
are built. Therefore prevent selection get or sender when they would not
build.
* Zabbix's use of NetSNMP requires that Zabbix be build with OpenSSL
* While we are here, enable support for dates after 2038 (64-bit time_t)
* https://github.com/openwrt/packages/pull/28585#issuecomment-3984978895
* we updated the name to reflect that it is for basic functionality
that can standalone, rather then being a core the other packages
build on.
* basic has been used rather than tiny or small since the sentence
'Provides only tiny/small functionality with SSL/TLS' in the
description, sounds strange, but using basic this reads properly.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit c98e9d68a0)
Using the php8 dependency allows use to go back to using the
+ZABBIX_POSTGRESQL:php8-mod-pgsql (and like dependency for
mysql/mariadb).
This has the benefit of being an apk dependency so the user does not
install the frontend without a php8 database module.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 4afdeb7d19)
We aren't using packages with the same name as the provides, so don't
use an virtual (@) provides for providing zabbix-get
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 696e549e9d)
For non-compiled package that are architecture independant, set
PKGARCH:=all.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 4635838819)
When selecting only a package of "no-configure" build variant, e.g.
CONFIG_PACKAGE_zabbix-frontend-server=y
but not any other zabbix package, then the build fails.
The sources are not extracted and the install fails finally with:
make[4]: Entering directory '/srv/openwrt/openwrt-2.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22'
make[4]: *** No rule to make target 'install'. Stop.
make[4]: Leaving directory '/srv/openwrt.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22'
make[3]: *** [Makefile:522: /srv/openwrt.git/build_dir/target-arm_arm926ej-s_musl_eabi/zabbix-no-configure/zabbix-7.0.22/.built] Error 2
This PR fixes this by always running the standard Prepare stage,
but skip the Install one when nothing needs to be compiled.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
(cherry picked from commit 849db7361d)
The error in the #24828 patch series left Kconfig recursive depedency
error on zabbix-frontend-server. We fix this by update the database
depedencies on zabbix-frontend-server. Now, you must select the PHP8
database module you want _before_ zabbix-frontend-server will be
visible in menuconfig.
This is not a big problem, because zabbix-frontend-server already
depends on having php8 slected before the frontend can be built.
Closes: #28458
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit ff7353dbbc)
Due to package renaming the selection of database for the server and
proxy was missing from the Kconfig menu. This caused build failures for
proxy and server.
We now fix that.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit b032682381)
Using line continuation (\\) in GNU Make \$(foreach ...) and
\$(call ...) resulted in the install section for many of the packages
not being defined. This resulted in 'skipping [package-name] no install
section' messages and no new package being generated.
We remove the line continuation from the parts foreach and call, in
ordeer to restore compilation and creation of packages.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 8bc0c6c7cf)
In preparation for further changes, deduplicate package definitions,
and reorganize them. At the same time make use of provides to ensure
both existing names are preserved, and that it is possible to be
specific about the variant of the package one wants.
Also, condense the package conffiles, install, postinst, etc handling.
This is more maintainable (less copy and paste and less to modify).
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 75146ea2be)
cspell.json was accidentally include in a previous commit, so remove it.
VARIANT is to be used in package definitions, and BUILD_VARIANT
for checking which VARIANT is currently being built. BUILD_VARIANT was
incorrectly used in a package definition, so we fix that.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 0a897f7042)
The last PR (https://github.com/openwrt/packages/pull/28370) missed
including two needed changes, and had a minor packaging Makefile
mistake.
The Zabbix Agent needs to drop privileges to the zabbix-agent user.
Similarly, if run as root (not the default), the Zabbix server needs to
drop privileges to the zabbix-server user.
There are also, in the Makefile, three instances of using BUILD_VARIANT
instead of VARIANT in package definitions.
So we fix those issues.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit a2685bfad2)
For items which are only copied from the source code, avoid the
prepare, configure, and compile steps, while preserving the special
behaviour of the mac80211 addon, which has a unique prepare and
compile.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 8ab5a3d7c3)
Avoid unnecessary duplication on zabbix-agentd package definitions by
using a common zabbix-agentd/Default and extending it for different
zabbix-agentd flavours.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit f798e17379)
For security, per upstream recommendations, use a separate user for the
agent daemon and the server daemon.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 907e9c6b1e)
Bump Zabbix to the latest released 7.0.x LTS version.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 1f3251545d)
Adds an initscript for zabbix_server, and related helper files
+ uses a zabbix_server uci conf to enable/disable startup
+ updates the default zabbix_server.conf to work with initscript
+ add a sysctl.d conf to set max-files more appropriate for zabbix_server
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit ffdb7209a4)
Addresses the issue pointed out in #28165, which is that zabbix_agentd
always creates a PidFile and has no option to disable PidFile creation.
Therefore update the configuration file to default to create a PidFile
where we want it.
Close#28165
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
(cherry picked from commit 1ff6a92251)
Daniel F. Dickinson