update to version v4.10, disable building gnulib-tests to avoid
compilation errors.
Add --disable-xattr to CONFIGURE_ARGS to avoid linking an unneeded
dependency.
Changes in sed since v4.9, from NEWS:
** Bug fixes
sed 's/a/b/g' (and other global substitutions) now works on input
lines longer than 2GB. Previously, matches beyond the 2^31 byte offset
would evoke a "panic" (exit 4).
[bug present since the beginning]
'sed --follow-symlinks -i' no longer has a TOCTOU race that could let
an attacker swap a symlink between resolution and open, causing sed to
read attacker-chosen content and write it to the original target.
[bug introduced in sed 4.1e]
sed no longer falsely matches when back-references are combined with
optional groups (.?) and the $ anchor. For example, this no longer
falsely matches the empty string at beginning of line:
$ echo ab | sed -E 's/^(.?)(.?).?\2\1$/X/'
Xab
[bug present since "the beginning"]
In --posix mode, sed no longer mishandles backslash escapes (\n,
\t, \a, etc.) after a named character class like [[:alpha:]].
For example, 's/^A\n[[:alpha:]]\n*/XXX/' would fail to match the
trailing newline, treating \n as a literal backslash and an 'n'
rather than a newline. This happened when an earlier backslash
escape in the same regex had already been converted, shifting the
in-place normalization buffer.
[bug introduced in sed 4.9]
sed --debug no longer crashes when a label (":") command is compiled
before the --debug option is processed, e.g., sed -f<(...) --debug.
[bug introduced in sed 4.7 with --debug]
sed no longer rejects the documented GNU extension 'a**' (equivalent
to 'a*') in Basic Regular Expression (BRE) mode. Previously, this
worked only with -E (ERE mode), even though grep has always accepted
it in BRE mode.
[bug present since "the beginning"]
sed no longer rejects "\c[" in regular expressions
[bug present since the beginning]
'sed --follow-symlinks -i' no longer mishandles an operand that is a
short symbolic link to a long symbolic link to a file.
[bug introduced in sed 4.9]
Fix some some longstanding but unlikely integer overflows.
Internally, 'sed' now more often prefers signed integer arithmetic,
which can be checked automatically via 'gcc -fsanitize=undefined'.
** Changes in behavior
In the default C locale, diagnostics now quote 'like this' (with
apostrophes) instead of `like this' (with a grave accent and an
apostrophe). This tracks the GNU coding standards.
'sed --posix' now warns about uses of backslashes in the 's' command
that are handled by GNU sed but are not portable to other
implementations.
** Build-related
builds no longer fail on platforms without the <getopt.h> header or
getopt_long function.
[bug introduced in sed 4.9]
Signed-off-by: Russell Senior <russell@personaltelco.net>
libfastjson uses modf() from libm but does not declare the dependency.
With BIND_NOW (CONFIG_PKG_RELRO_FULL), this can cause the dynamic linker
to process libfastjson's relocations before libm's GOT is set up,
triggering a crash in libm's IFUNC resolver on PowerPC.
Fixes: https://github.com/openwrt/packages/issues/29160
Signed-off-by: micpf <micpf@westermo.com>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, improve nftables rules
- Update PKG_VERSION to 2026.03.18.
- Set PKG_RELEASE to 1.
- Update PKG_SOURCE_VERSION to 801881210ba8215dc9cd577222d8c10372423360.
- Update PKG_MIRROR_HASH to 4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce.
files/etc/init.d/https-dns-proxy:
- Wrap the notrack chain in its own `inet https_dns_proxy_notrack`
table. A top-level `chain` outside any table is invalid nftables
syntax and is rejected on kernel 6.18+, breaking firewall load.
Fixesmossdef-org/https-dns-proxy#7.
- Syntax-check the generated snippet with `nft -c -f` after write
and report OK/FAIL on the start path.
- On remove, explicitly `nft delete table` in addition to removing
the snippet file, so the live ruleset is cleaned up immediately
rather than waiting for the next fw4 reload.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
In order to create a proper jail, we net the procd-ujail package.
Otherwise, AdGuardHome will run as unprivileged process,
and will not be able to listen on ports below 1024.
Signed-off-by: Alexander Krause <alexander.krause@cs.tu-dortmund.de>
zstdgrep and zstdless are shell script wrappers that do not output a
version string, so the generic CI version check fails for them. Add a
test.sh case that verifies they are present and executable instead.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
dbus-utils utilities do not implement --version so the generic CI
version check fails for them. Add a test.sh case that verifies the
binaries are present and executable instead.
dbus-utils: dbus-monitor, dbus-send, dbus-test-tool
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Several bluez utilities do not implement --version so the generic CI
version check fails for them. Add test.sh cases that verify the
binaries are present and executable instead.
bluez-daemon: obexd
bluez-utils: bdaddr, ciptool, hciattach, hciconfig, l2ping, l2test, rctest
bluez-utils-extra: gatttool
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes in 3.10:
- general bug fixes from libsepol (bounds statements in optional
blocks, type attribute handling in role-types rule, NULL dereference
and use-after-free fixes)
- treewide: add .clang-format configuration file
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes in 3.10:
- python/sepolicy: add support for DNF5
- sandbox/seunshare: replace system() with execv() to prevent shell
injection vulnerability
- seunshare: always use translations when printing
- setfiles: add -A option to disable SELINUX_RESTORECON_ADD_ASSOC
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Changes in 3.10:
- improve semanage man pages: add examples for -r RANGE flag usage
- semanage: reset active value when deleting boolean customizations
- various libsemanage/libsepol bug fixes and security hardening
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Existing package contains five libraries, some of which are > 1MB. Allow
packages which depend on only some of them to only pull in the ones they
need by splitting this package into finer-grained packages. Transition
can be done piecemeal as depending on glib2 will still pull in all the
libraries.
The original split commit (6bb0d6bd2) had a typo: the glib2 meta-package
used 'DEPENDS:+glib2-gthread +glib2-gio' (missing '='), which caused
the meta-package to have no effective dependencies. This meant packages
declaring '+glib2' did not get the sub-packages installed, causing APK
dependency checks to fail for all glib2 libraries across ~60 packages.
This re-applies the split with 'DEPENDS:=+glib2-gthread +glib2-gio'
(correct assignment syntax), so the meta-package properly pulls in all
sub-packages for consumers that still declare '+glib2'.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The generic CI test fails for /usr/bin/attr because that binary does
not implement --version. getfattr and setfattr do, so test those for
the version string and only verify attr is present and executable.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The CMakeLists.txt first tries FindLuaJIT.cmake which uses
NO_DEFAULT_PATH with hardcoded host paths, so it always fails in
cross-compilation. The fallback find_package(Lua REQUIRED) may also
fail to find a flat sysroot layout where lua.h lives at
/usr/include/lua.h rather than a versioned subdirectory.
Explicitly pass LUA_INCLUDE_DIR and LUA_LIBRARY to CMake to bypass
both finders, and depend on +liblua (the library package) instead of
+lua to ensure Build/InstallDev runs and Lua headers are present in
the staging directory before this package builds.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
- introduced a shared named nft limit (loglimit) referenced by
all log rules instead of per-rule limits, aligning with kernel printk rate limits
- added new 'ban_logratelimit' and 'ban_logburstlimit' UCI options for tuning
the shared log limit; setting ban_logratelimit=0 disables nft-side rate limiting
entirely (useful for ulogd or other userspace log handlers that bypass printk)
- LuCI: made the new UCI option available (Log Settings)
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
wgsd (WireGuard Service Discovery plugin) pulls in
golang.zx2c4.com/wireguard/wgctrl -> mdlayher/genetlink v1.2.0 ->
mdlayher/netlink v1.6.2. This version of netlink calls
mdlayher/socket's Sendmsg/Recvmsg with the old API signatures
(pre-context.Context, single-return-value Sendmsg), but coredns
itself requires mdlayher/socket v0.5.1 which changed these
signatures to include context.Context and return (int, error).
Add a go get step that upgrades netlink to v1.7.2 after the wgsd
plugin dependencies are pulled in, ensuring the build uses a
netlink version compatible with socket v0.5.x.
Should fix:
https://downloads.openwrt.org/snapshots/faillogs/i386_pentium-mmx/packages/coredns/compile.txt
```
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:35: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:33: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:127:42: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:142:41: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
github.com/aws/aws-sdk-go-v2/aws/protocol/query
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
github.com/aws/smithy-go/private/requestcompression
```
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The prosody.im upstream updated the 0.12.4 tarball in-place, changing
its content without bumping the version. Update PKG_HASH to match the
currently published tarball.
Fixes: f4d305b73 ("prosody: update to 0.12.4")
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update config for vrrp_script in keepalived.config.
Add option name, direction and timeout in config.
Add some docs for option weight and option direction.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Update keepalived.config to add config for section peer.
`peer` is a section that can be used via 'list unicast_peer'
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Add option timeout in vrrp_script section.
This option specifies the timeout duration for script execution.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
`track_script` and `vrrp_script` are both sections that run custom scripts
which handle priority of a vrrp_instance.
`track_script` is not supported by this uci implementation
`vrrp_instance` was still trying to fetch config for track_script from section
'track_script'.
After the changes, when listing track_script in vrrp_instance,
it tries to fetch config from section `vrrp_script` which is supported.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Add logic to parse track_script section for vrrp_sync_group.
Keepalived supports script tracking in vrrp_sync_group but this was not
implemented by the uci implementation.
Note that if a vrrp_script is added to a sync group, you cannot use
priority/weight for that script as a vrrp_sync_group does not have a
priority/weight attached to it. It will do up/down as whole.
This option is optional and wouldn't affect any older configurations
during upgrade.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Added options min_ttl and max_ttl in section peer. These options are
supported by keepalived but were not supported by the uci implementation.
This allows accepting packets within a specific TTL range.
These options are optional and wouldn't affect any older configurations
during upgrade.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Removed unnecessary option value. This was not needed as option name is
already being used. Also removed a condition where the section was not
parsed if option value was not given. Value was being used to name the
script. Now the option name is used as the name when the script is called
in track_script.
Also added a condition where the section is not parsed if
option name is not given. This is because the script cannot be called if
it does not have a name.
No upgrade script is required.
The removed `value` option in `vrrp_script` was previously used to
identify scripts referenced by `track_script`. However, this mechanism
was non-functional:
- `track_script` attempted to reference a `track_script` section, which
is not implemented in the UCI configuration.
- As a result, script references were not resolved correctly even if
`value` was defined.
With this change, `track_script` now correctly references the
`vrrp_script` section, and the `name` option is used as the identifier.
Since the previous behavior was not working as intended, removing the
`value` option does not break any valid existing configurations.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
The new updated config_section_open and close functions are now used in places
where they can be used. The following sections use these functions:
(inside vrrp_instance)
- virtual_ipaddress
- virtual_routes
- track_script
- track_interface
- track_bfd
- unicast_peer
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Add a parameter for indent in config_section_open and
config_section_close. Previously you had to separately add indents
while parsing if a section was inside another section.
Now this is supported by these two functions.
You can specify how much indent you need to add before opening or closing
a section.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Adjust the update error handling path to avoid hard failures on
recoverable errors. This allows ddns to retry updates after the
configured retry interval and improves reliability.
Signed-off-by: Tim Flubshi <flubshi@gmail.com>
Replace manual file loading via cat with json_load_file for parsing
JSON data. This uses the intended helper function and improves
code clarity and robustness.
Signed-off-by: Tim Flubshi <flubshi@gmail.com>
The netcup ddns update script fails on subsequent runs because a
readonly variable is assigned again. Fix this by removing the readonly
declaration to allow repeated execution.
Signed-off-by: Tim Flubshi <flubshi@gmail.com>
Prompted by
https://github.com/openwrt/luci/pull/8420#issuecomment-4071252681
we update upsmon configs to ensure they are correct according to
upstream. We reorder the options so that they match upstream
documentation at
<https://networkupstools.org/docs/man/upsmon.conf.html> to be sure
we have not missed any items.
While at it, we add configuration options from the upstream
documentation that are not currently present in the UCI configs.
Some years ago upstream changed the names the primary/secondary
UPS system/monitor from master/slave to primary/secondary. It
is uncertain how much longer these deprecated names will be
accepted by NUT.
Therefore update naming to match upstream documentation and
configuration. See
<https://networkupstools.org/docs/man/upsmon.html>,
<https://networkupstools.org/docs/man/upsmon.conf.html>, and
<https://networkupstools.org/docs/man/upsd.users.html>.
At the same time, prompted by
https://github.com/openwrt/packages/pull/28875#issuecomment-4079307540
we simplify the configuration and add checks to avoid bad configs
due to misspellings/typos of configuation options by users.
A sample config
config upsmon 'upsmon'
option notifycmd '/usr/bin/logger -t nut-monitor-exec '
config monitor
option type primary
option upsname upsname
option hostname localhost
option username upsuser
option password upspassword
config notifications 'ONLINE'
option message "UPS %s is on line power"
option flag "SYSLOG"
config notifications 'ONBATT'
option message "UPS %s is on battery power"
option flag "SYSLOG+EXEC"
In order to iterate through the notifications, we use named
'notifications' sections and compare the section name to list of
notification events defined by NUT. If they don't match, warn
during initscript startup.
Signed-off-by: Daniel F. Dickinson <dfdpublic@wildtechgarden.ca>
This is a follow-up revert. Since the underlying commit was reverted,
this one must be reverted too to avoid breakage. See commit e46654db2 for context.
This reverts commit f74183a239.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
The pyproject.toml for zope.event 6.1 specifies a strict build
dependency of setuptools>=78.1.1,<81. We currently package
setuptools>=81, causing pip to report a missing dependency and
fail the build.
Add patch 001-relax-setuptools-version.patch to drop the <81 upper
bound, allowing the package to build with any recent setuptools.
Add test.sh to verify the installed version and exercise the core
event API (subscribers list, notify(), event dispatch).
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Russell Senior