Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, release 3
- update PKG_RELEASE to 3
files/etc/init.d/https-dns-proxy:
- refactor nftable rules to explicitly add and flush the table and
chains instead of block replacement
- make nftable `delete table` call silent in `notrack_nft remove`
- update `notrack_nft remove` to check for absence of nftable table
instead of just checking the file
- ensure `notrack_nft remove` sets _error=1 on failure
- ignore dnsmasq instances with port 0 in
`dnsmasq_instance_append_force_dns_port`
tests/run_tests.sh:
- add test case to ensure dnsmasq port 0 is ignored
- update `notrack_nft remove` test to confirm success when both file
and table are absent
Signed-off-by: Stan Grishin <stangri@melmac.ca>
Maintainer: Rob White rob@blue-wave.net
Compile tested: All
Run tested: arm_cortex-a7_neon-vfpv4, mipsel_24kc, mips_24kc,
aarch64_cortex-a53; On 24.10, 25.12 and master/snapshot.
Description: wifi-chipset-detect (1.0.0)
This is a new package that reports in json format the chipset
and driver capabilities of installed wireless hardware.
Developed originally for use where Captive Portal
and Mesh Backhaul networks are being built.
It provides a stand alone script to detect details of the physical
wireless hardware without requiring the radios to be enabled.
There are no dependencies over and above the basic OpenWrt flash image.
It is based on functionality built into the OpenNDS and Mesh11sd packages.
The json formatted output is displayed on the terminal screen.
It is also written to the file /tmp/wifidetect.
This version does not require the Captive Portal
or Mesh network to be running.
Full details can be seen here:
https://github.com/openNDS/wifi-chipset-detect
Signed-off-by: Rob White <rob@blue-wave.net>
Update bsbf-resources to the GIT HEAD of 2026-05-06.
- Remove bsbf-route as bsbf-mptcp now includes the functionality it
provides.
- Remove bsbf-plpmtu as that functionality is now provided with the
plp-mtu-discovery package.
- Remove bsbf-tcp-in-udp as it's not a production-ready solution as it is.
- Add bsbf-client-web.
- Update the dependencies of bsbf-mptcp to curl, fping, ip-full, and
mptcpize.
- Remove files/etc/config/bsbf-mptcp as that functionality is now provided
using the /etc/bsbf/bsbf-mptcp-subflow-backup file.
- Remove files/etc/hotplug.d/iface/99-bsbf-mptcp as that functionality is
now provided by the bsbf-mptcp service.
- Update the dependencies of bsbf-bonding to bsbf-client-web, bsbf-mptcp,
bsbf-rate-limiting, and xray-core.
- Get rid of fw4 dependency and 99-bsbf-bonding.nft in favour of
resources-client/bsbf_bonding.nft. Add a oneshot service to apply it at
boot.
- Move from bsbf-openwrt-resources to bsbf-resources directory as we now
install resources-client/xray.json and resources-client/bsbf_bonding.nft.
- Add the bsbf-bonding command.
- Run `bsbf-bonding --enable` at the end on the uci-defaults script.
- Add the tc package as a dependency for bsbf-rate-limiting.
Fixes: https://github.com/openwrt/packages/issues/29306
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
The current check would match a uci device section that doesn't say if the
interface is a bridge. Check that the type option is bridge to address
this.
Signed-off-by: Chester A. Unal <chester.a.unal@arinc9.com>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
Fix nftables rule directory creation
- Bump PKG_RELEASE to 2.
files/etc/init.d/https-dns-proxy:
- Add 'mkdir -p' before writing nftables rules to ensure the parent
directory exists. This fixes an issue where the directory might not
exist on initial installation, causing errors.
tests/run_tests.sh:
- Add comprehensive regression tests for notrack_nft.
- Mock 'nft' to track invocations and control return codes for testing.
- Patch 'NOTRACK_NFT_FILE' to a test-specific path for isolated testing.
- Verify 'notrack_nft' correctly creates the parent directory if missing.
- Test content of generated nftables snippet, idempotence, and removal.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
unbound-control-setup is a shell script that generates TLS certificates
for unbound-control; it does not print a version string. The generic CI
test framework cannot verify the version via the binary, causing the
"No executables in the package provided version" failure.
Add a package-specific test.sh that:
- tests unbound-daemon version via 'unbound -V' and config file presence
- tests libunbound shared library presence
- tests unbound-anchor/-checkconf/-control/-host binaries run and
respond to -h without starting the daemon
- tests unbound-control-setup as an installed, executable shell script
containing expected keywords (no version check)
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update from 6.11 to 7.5. Notable changes across releases:
- 7.5: fix cifscreds command-line option parsing and ambiguous command
matching; documentation updates for echo_interval parameter
- 7.4: retry logic for -EINPROGRESS errors during mount operations;
improved handling for multiple IP address resolution scenarios
- 7.3: fix guest mount option handling; prevent empty password
parameters from being passed to the SMB client
- 7.2: improve return code checking in getcifsacl; better handling of
permission-related errors across different kernel versions
- 7.1: add upcall_target mount option for namespace resolution; enable
credential lookups in host or application namespace (e.g., Kubernetes)
- 7.0: migrate files to /usr per DEP17 M2 standard
- 6.15: fix CVE-2022-27239 (stack buffer overflow in ip= argument
parsing) and CVE-2022-29869 (info leak in verbose logging)
Add libtalloc dependency to cifsmount
Add test.sh to verify mount.cifs and smbinfo report the correct version.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
* Version 1.4.1 (released 2026-02-28)
- [SECURITY] Fixed authentication bypass (medium severity) when using
certificate authentication with cert-user-oid set to SAN(rfc822name):
a client presenting a valid CA-signed certificate without the expected
RFC822 SAN field could authenticate using password credentials alone,
bypassing the intended certificate-to-username binding. Requires the
attacker to possess both a valid CA-signed certificate and valid user
credentials (694)
- The bundled inih was updated to r62.
- The bundled protobuf-c was updated to 1.5.2.
- Fixed a bug where session timeout could be bypassed by reconnecting
(e.g., closing/opening laptop lid) (599)
- occtl: 'show user' command now includes a 'Session started at:' field,
indicating when the VPN session was established
- occtl: Fix column misalignment in ban command outputs
- occtl: Fix 'show ip bans' may produce invalid JSON (683)
- Handle dotted client hostnames (e.g., .local) by stripping the domain suffix
- Renamed `min-reauth-time` configuration option to `ban-time` to better reflect
its purpose (676). This option defines the duration (in seconds) for which
an IP address is banned after exceeding the maximum allowed `max-ban-score`.
Default is 300 seconds (5 minutes).
- Fixed ocserv-worker process title
- Fixed ignored udp-port in vhost (612)
* Version 1.4.0 (released 2026-01-04)
- The bundled llhtp was updated to 9.3.0.
- The bundled protobuf-c was updated to 1.5.1.
- Fixed issues with PAM authentication when combined with pam_sssd (618)
- Enhanced the seccomp filters to address issue in testing (627)
- Fixed "unexpected URL" errors for Cisco AnyConnect clients
- Fixed the 'ping-leases' option, which was broken since version 1.1.1
- Fixed maximum MTU tracking in server statistics
- Fixed 'iroute' option processing to handle multiple routes (625)
- Fixed session accounting for roaming users (674)
- occtl: fix invalid JSON output in `occtl -j show iroutes` (661)
- occtl: fix regression with trailing commas in `occtl -j show sessions` (669)
- occtl: fix missing column headers in 'show ip bans' output (677)
- occtl: 'show ip bans' no longer shows expired bans (675)
- Fixed DTLS not working with systemd socket activation (647)
- Fixed a bug in the ban timer logic that could prevent IP addresses
from being banned or cause premature unbans (678)
- Session statistics are now reported at consistent intervals
for RADIUS compatibility (630)
- Single form to enter username and password (551)
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
mod_s2s was refactored into a single mod_s2s.lua in the flat modules
directory in 0.12.x; remove the obsolete subdirectory install rule that
caused the package build to fail.
Also add util/human/ and util/prosodyctl/ which are new subdirectories
in 0.12.x not covered by the previous install rules.
Force libidn instead of ICU for stringprep
prosody's configure script auto-detects stringprep backends and prefers
ICU when available, generating -DUSE_STRINGPREP_ICU and including
<unicode/usprep.h>. The OpenWrt SDK staging directory does not provide
ICU development headers, so the build fails with:
encodings.c:271:10: fatal error: unicode/usprep.h: No such file or directory
The Makefile DEPENDS already declares +libidn. Pass --with-idn=idn to
explicitly select the libidn backend, which is available in the staging
directory.
Also, pass TARGET="../util/" to MAKE_FLAGS. OpenWrt has it's own TARGET
env var which clobbers the 'TARGET' var from prosody's build (specified
as 'TARGET?=../util/')
Adding a test.sh to check for the correct version (since prosody mostly
has lua scripts).
Security release addressing multiple vulnerabilities. 0.12.6 is
likely the last release of the 0.12.x series (EOL June 2026).
Upstream advisory: https://prosody.im/security/
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
On master, updater help and missing-option text still refer to '-N'.
Use '-S' instead so the messages match accepted script options.
Also clarify that SECTION is the UCI section name/id to start.
This is a text-only change; runtime behavior is unchanged.
Bump PKG_RELEASE to 4.
Fixes: #27737
Signed-off-by: Dharmik Parmar <dharmikparmar2004@yahoo.com>
- optimized pidfile handling in the init file
- small cornercase fixes & improvements
- drop deprecated 'drop' feed (replaced by 'spamhaus' json feed with the same content)
- LuCI: expose the new JSON Lines Format in the feed editor
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit was merged into the master branch by accident
and should be undone. Adding ujail as a hardcoded dependency
is incorrect, as ujail is meant to be an optional dependency.
A better approach is to implement ujail support within
the init script, which was discussed in the pull request
(https://github.com/openwrt/packages/pull/29277),
consistent with how other packages in the repository handle this.
Therefore, reverting for now.
This reverts commit e6b5141c7e.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Use cp instead of install when installing libraries to not follow
symlinks and create duplicate files.
Fixes: aa89f847 ("mosquitto: update to 2.0.18")
Signed-off-by: George Sapkin <george@sapk.in>
Maintainer: me
Compile tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Run tested: x86_64, Dell EMC Edge620, OpenWrt 25.12.1
Description:
update to 2026.03.18, improve nftables rules
- Update PKG_VERSION to 2026.03.18.
- Set PKG_RELEASE to 1.
- Update PKG_SOURCE_VERSION to 801881210ba8215dc9cd577222d8c10372423360.
- Update PKG_MIRROR_HASH to 4c356c19b62fc7bdef3a67fd678e48f3659d709da10517c2eadef76e3409f5ce.
files/etc/init.d/https-dns-proxy:
- Wrap the notrack chain in its own `inet https_dns_proxy_notrack`
table. A top-level `chain` outside any table is invalid nftables
syntax and is rejected on kernel 6.18+, breaking firewall load.
Fixesmossdef-org/https-dns-proxy#7.
- Syntax-check the generated snippet with `nft -c -f` after write
and report OK/FAIL on the start path.
- On remove, explicitly `nft delete table` in addition to removing
the snippet file, so the live ruleset is cleaned up immediately
rather than waiting for the next fw4 reload.
Signed-off-by: Stan Grishin <stangri@melmac.ca>
In order to create a proper jail, we net the procd-ujail package.
Otherwise, AdGuardHome will run as unprivileged process,
and will not be able to listen on ports below 1024.
Signed-off-by: Alexander Krause <alexander.krause@cs.tu-dortmund.de>
- introduced a shared named nft limit (loglimit) referenced by
all log rules instead of per-rule limits, aligning with kernel printk rate limits
- added new 'ban_logratelimit' and 'ban_logburstlimit' UCI options for tuning
the shared log limit; setting ban_logratelimit=0 disables nft-side rate limiting
entirely (useful for ulogd or other userspace log handlers that bypass printk)
- LuCI: made the new UCI option available (Log Settings)
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
wgsd (WireGuard Service Discovery plugin) pulls in
golang.zx2c4.com/wireguard/wgctrl -> mdlayher/genetlink v1.2.0 ->
mdlayher/netlink v1.6.2. This version of netlink calls
mdlayher/socket's Sendmsg/Recvmsg with the old API signatures
(pre-context.Context, single-return-value Sendmsg), but coredns
itself requires mdlayher/socket v0.5.1 which changed these
signatures to include context.Context and return (int, error).
Add a go get step that upgrades netlink to v1.7.2 after the wgsd
plugin dependencies are pulled in, ensuring the build uses a
netlink version compatible with socket v0.5.x.
Should fix:
https://downloads.openwrt.org/snapshots/faillogs/i386_pentium-mmx/packages/coredns/compile.txt
```
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:105:35: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:9: too many return values
have (int, error)
want (error)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:116:33: not enough arguments in call to c.s.Sendmsg
have ([]byte, nil, *"golang.org/x/sys/unix".SockaddrNetlink, number)
want (context.Context, []byte, []byte, "golang.org/x/sys/unix".Sockaddr, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:127:42: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
../../../../../dl/go-mod-cache/github.com/mdlayher/netlink@v1.6.2/conn_linux.go:142:41: not enough arguments in call to c.s.Recvmsg
have ([]byte, nil, number)
want (context.Context, []byte, []byte, int)
github.com/aws/aws-sdk-go-v2/aws/protocol/query
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding
github.com/aws/smithy-go/private/requestcompression
```
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The prosody.im upstream updated the 0.12.4 tarball in-place, changing
its content without bumping the version. Update PKG_HASH to match the
currently published tarball.
Fixes: f4d305b73 ("prosody: update to 0.12.4")
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
Update config for vrrp_script in keepalived.config.
Add option name, direction and timeout in config.
Add some docs for option weight and option direction.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Update keepalived.config to add config for section peer.
`peer` is a section that can be used via 'list unicast_peer'
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Add option timeout in vrrp_script section.
This option specifies the timeout duration for script execution.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
`track_script` and `vrrp_script` are both sections that run custom scripts
which handle priority of a vrrp_instance.
`track_script` is not supported by this uci implementation
`vrrp_instance` was still trying to fetch config for track_script from section
'track_script'.
After the changes, when listing track_script in vrrp_instance,
it tries to fetch config from section `vrrp_script` which is supported.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Add logic to parse track_script section for vrrp_sync_group.
Keepalived supports script tracking in vrrp_sync_group but this was not
implemented by the uci implementation.
Note that if a vrrp_script is added to a sync group, you cannot use
priority/weight for that script as a vrrp_sync_group does not have a
priority/weight attached to it. It will do up/down as whole.
This option is optional and wouldn't affect any older configurations
during upgrade.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Added options min_ttl and max_ttl in section peer. These options are
supported by keepalived but were not supported by the uci implementation.
This allows accepting packets within a specific TTL range.
These options are optional and wouldn't affect any older configurations
during upgrade.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Removed unnecessary option value. This was not needed as option name is
already being used. Also removed a condition where the section was not
parsed if option value was not given. Value was being used to name the
script. Now the option name is used as the name when the script is called
in track_script.
Also added a condition where the section is not parsed if
option name is not given. This is because the script cannot be called if
it does not have a name.
No upgrade script is required.
The removed `value` option in `vrrp_script` was previously used to
identify scripts referenced by `track_script`. However, this mechanism
was non-functional:
- `track_script` attempted to reference a `track_script` section, which
is not implemented in the UCI configuration.
- As a result, script references were not resolved correctly even if
`value` was defined.
With this change, `track_script` now correctly references the
`vrrp_script` section, and the `name` option is used as the identifier.
Since the previous behavior was not working as intended, removing the
`value` option does not break any valid existing configurations.
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
The new updated config_section_open and close functions are now used in places
where they can be used. The following sections use these functions:
(inside vrrp_instance)
- virtual_ipaddress
- virtual_routes
- track_script
- track_interface
- track_bfd
- unicast_peer
Signed-off-by: Rishabh <rishabhshah2005@gmail.com>
Stan Grishin