Merge remote-tracking branch 'upstream/master'

2026-04-29 23:18:42 +01:00 · 2018-05-29 09:07:16 +02:00
parent 425331f316 d7ffa9ca0e
commit 429b955ca2
52 changed files with 2036 additions and 694 deletions
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=fwknop
 PKG_VERSION:=2.6.9
-PKG_RELEASE:=4
+PKG_RELEASE:=5

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://www.cipherdyne.org/fwknop/download
@@ -2,7 +2,9 @@ config global
 #	option uci_enabled '1'

 config network
-#	option network 'wan'	# takes precedence over config.PCAP_INTF
+	# Logical network dependency, fully tracked, fwknopd gets restarted when
+	# necessary. Specifying network takes precedence over config.PCAP_INTF
+#	option network 'wan'

 config access
 	option SOURCE 'ANY'
@@ -10,3 +12,6 @@ config access
 	option KEY 'CHANGEME'

 config config
+	# Alternative direct physical interface definition, but untracked - you
+	# are on your own to correctly start/stop the service when needed
+#	option PCAP_INTF 'eth0'
@@ -14,24 +14,31 @@ start_service()
 {
 	generate_configuration

-	procd_open_instance
-	procd_set_param command "$FWKNOPD_BIN" --foreground --syslog-enable
-	procd_set_param respawn
-
-	if [ $UCI_ENABLED -eq 1 ]; then
-		procd_append_param command -c /var/etc/fwknopd.conf
-		procd_append_param command -a /var/etc/access.conf
+	if [ -n "$DEPEND_IFNAME" ] ; then
+		# We know the interface, so we can start
+		procd_open_instance
+		procd_set_param command "$FWKNOPD_BIN" --foreground --syslog-enable
+		procd_set_param respawn
+		if [ $UCI_ENABLED -eq 1 ]; then
+			procd_append_param command -c /var/etc/fwknopd.conf
+			procd_append_param command -a /var/etc/access.conf
+		fi
+		procd_append_param command -i "$DEPEND_IFNAME"
+		procd_set_param netdev "$DEPEND_IFNAME"
+		procd_close_instance
+	else
+		logger -p daemon.info -t "fwknopd[----]" "Postponing start-up of fwknopd, network $NETWORK is not up"
 	fi
-
-	procd_append_param command -i "$DEPEND_IFNAME"
-	procd_set_param netdev "$DEPEND_IFNAME"
-
-	procd_close_instance
 }

 service_triggers()
 {
 	procd_add_reload_trigger "fwknopd"
+
+	if [ -n "$NETWORK" ] ; then
+		logger -p daemon.info -t "fwknopd[----]" "Listening for changes on network $NETWORK"
+		procd_add_reload_interface_trigger "$NETWORK"
+	fi
 }

 get_bool()
@@ -51,7 +58,7 @@ generate_configuration()

 	UCI_ENABLED=0
 	DEPEND_IFNAME=
-	local NETWORK=
+	NETWORK=
 	local PCAP_INTF=
 	local USER_CONFIG_PATH=/etc/fwknop/fwknopd.conf
 	local DEFAULT_UCI_NETWORK=wan
@@ -67,9 +74,16 @@ generate_configuration()
 				if [ "$option" = "uci_enabled" ] && [ "$(get_bool "$value" 0)" -eq 1 ] ; then
 					> /var/etc/fwknopd.conf
 					> /var/etc/access.conf
-                                        chmod 600 /var/etc/fwknopd.conf
-                                        chmod 600 /var/etc/access.conf
+					chmod 600 /var/etc/fwknopd.conf
+					chmod 600 /var/etc/access.conf
 					UCI_ENABLED=1
+
+					# Forced defaults
+
+					# Do not let fwknopd to shut-down when interface goes down,
+					# control it from the start-up script instead:
+					# https://bugs.openwrt.org/index.php?do=details&task_id=1481
+					echo "EXIT_AT_INTF_DOWN n" >> /var/etc/fwknopd.conf
 				fi
 			}
 		elif [ "$type" = "network" ]; then
@@ -87,12 +101,13 @@ generate_configuration()
 				if [ $UCI_ENABLED -eq 1 ] && [ $option = "PCAP_INTF" ]; then
 					PCAP_INTF="$value"
 					echo "$option $value" >> /var/etc/fwknopd.conf  #writing each option to fwknopd.conf
+				elif [ $UCI_ENABLED -eq 1 ] && [ $option = "EXIT_AT_INTF_DOWN" ]; then
+					logger -p daemon.warn -t "fwknopd[----]" "Ignoring EXIT_AT_INTF_DOWN option, forced to N (no) to work reliably with procd"
 				elif [ $UCI_ENABLED -eq 1 ]; then
 					echo "$option $value" >> /var/etc/fwknopd.conf  #writing each option to fwknopd.conf
 				fi
 			}
-		elif [ "$type" = "access" ]
-		then
+		elif [ "$type" = "access" ]; then
 			if [ -f /tmp/access.conf.tmp ] ; then
 				cat /tmp/access.conf.tmp >> /var/etc/access.conf
 				rm /tmp/access.conf.tmp
@@ -108,7 +123,7 @@ generate_configuration()
 				fi
 			}
 		else
-			option_cb() { return; }
+			reset_cb
 			if [ -z "$type" ]; then
 				# Finalize reading
 				if [ -f /tmp/access.conf.tmp ] ; then
@@ -125,8 +140,8 @@ generate_configuration()

 	if [ $UCI_ENABLED -eq 0 ]; then
 		if [ -f $USER_CONFIG_PATH ] ; then
-			# Scan user configuration for PCAP_INTF settings
-			DEPEND_IFNAME="$( sed -ne '/^\s*PCAP_INTF\s\+/ { s/^\s*PCAP_INTF\s\+//; s/\s\+$//; p; q; }' /etc/fwknop/fwknopd.conf )"
+			# Scan user configuration for PCAP_INTF settings and fallback to fwknopd's default
+			DEPEND_IFNAME="$( sed -ne '/^\s*PCAP_INTF\s\+/ { s/^\s*PCAP_INTF\s\+//; s/\s\+$//; p; q; }' $USER_CONFIG_PATH )"
 			if [ -n "$DEPEND_IFNAME" ]; then
 				logger -p daemon.debug -t "fwknopd[----]" "Found fwknopd.conf configuration, using PCAP_INTF interface $DEPEND_IFNAME"
 			else
@@ -146,14 +161,14 @@ generate_configuration()
 			NETWORK="$DEFAULT_UCI_NETWORK"
 		fi

+		# Resolve network if possible
 		if [ -n "$NETWORK" ]; then
 			. /lib/functions/network.sh
-			network_get_physdev DEPEND_IFNAME "$NETWORK"
+			network_get_device DEPEND_IFNAME "$NETWORK"
 			if [ -n "$DEPEND_IFNAME" ]; then
 				logger -p daemon.debug -t "fwknopd[----]" "Resolved network $NETWORK as interface $DEPEND_IFNAME"
 			else
-				logger -p daemon.warn -t "fwknopd[----]" "Cannot find interface for network $NETWORK, fwknopd's default $DEFAULT_FWKNOPD_IFNAME will be used"
-				DEPEND_IFNAME="$DEFAULT_FWKNOPD_IFNAME"
+				logger -p daemon.warn -t "fwknopd[----]" "Cannot find interface for network $NETWORK, probably the network is not up"
 			fi
 		elif [ -n "$PCAP_INTF" ]; then
 			DEPEND_IFNAME="$PCAP_INTF"
@@ -7,9 +7,9 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=nfs-kernel-server
-PKG_VERSION:=2.3.1
+PKG_VERSION:=2.3.2
 PKG_RELEASE:=1
-PKG_HASH:=ca92f1ab86b2af4dcd62d7716d46a6cdec268e83fe8d564cd8ff1464cc495989
+PKG_HASH:=1748a046e452ceb2285cc07b61ec0f85af7c92ac443e111a6c8a1061254ca717

 PKG_SOURCE_URL:=@SF/nfs
 PKG_SOURCE:=nfs-utils-$(PKG_VERSION).tar.bz2
@@ -68,8 +68,10 @@ define Package/nfs-utils/description
  Updated mount.nfs command - allows mounting nfs4 volumes
 endef

-TARGET_CFLAGS += -I$(PKG_BUILD_DIR)/lib -I$(STAGING_DIR)/usr/include/libevent \
-		 -I$(STAGING_DIR)/usr/include/ -Drpc_uint=uint
+TARGET_CFLAGS += -Wno-error=implicit-function-declaration \
+		 -Wno-error=strict-prototypes \
+		 -Wno-error=incompatible-pointer-types \
+		 -Wno-error=undef
 TARGET_LDFLAGS += -Wl,-rpath-link=$(STAGING_DIR)/usr/lib $(LIBRPC) \
 		  -L$(STAGING_DIR)/usr/lib/libevent

@@ -81,8 +83,7 @@ CONFIGURE_ARGS += \
 	--enable-static \
 	--enable-shared \
 	--disable-caps \
-	--disable-tirpc \
-	--disable-nfsdcld
+	--disable-tirpc

 CONFIGURE_VARS += \
 	libblkid_cv_is_recent=yes \
@@ -75,7 +75,6 @@ define Package/openvswitch-ovn-base/description
 endef

 OVN_BIN_TOOLS:=ovn-controller ovn-controller-vtep ovn-detrace \
-	ovn-docker-overlay-driver ovn-docker-underlay-driver \
 	ovn-nbctl ovn-sbctl ovn-trace
 define Package/openvswitch-ovn
  $(call Package/openvswitch/Default)
@@ -112,7 +111,7 @@ endef

 OVS_BIN_TOOLS:= \
 	ovsdb-client ovs-l3ping ovs-dpctl-top \
-	ovs-tcpdump ovs-tcpundump ovs-pcap ovs-parse-backtrace
+	ovs-tcpdump ovs-tcpundump ovs-pcap
 define Package/openvswitch
  $(call Package/openvswitch/Default)
  TITLE:=Open vSwitch Userspace Package
@@ -271,19 +270,15 @@ $(eval $(call OvsBinUtility,openvswitch-base,ovs-dpctl,Open vSwitch datapath man
 $(eval $(call OvsBinUtility,openvswitch-base,ovs-vsctl,Open vSwitch ovs-vswitchd management utility))
 $(eval $(call OvsBinUtility,openvswitch-base,ovsdb-client,Open vSwitch database JSON-RPC client))
 $(eval $(call OvsBinUtility,openvswitch-base,ovs-l3ping,Check network deployment for L3 tunneling problems))
-$(eval $(call OvsBinUtility,openvswitch-base,ovs-docker,Open vSwitch docker tool))
 $(eval $(call OvsBinUtility,openvswitch-base,ovs-dpctl-top,Top like behavior for ovs-dpctl dump-flows))
 $(eval $(call OvsBinUtility,openvswitch-base,ovs-pki,OpenFlow public key infrastructure management utility))
 $(eval $(call OvsBinUtility,openvswitch-base,ovs-tcpdump,Dump traffic from an Open vSwitch port using tcpdump))
 $(eval $(call OvsBinUtility,openvswitch-base,ovs-tcpundump,Convert ``tcpdump -xx`` output to hex strings))
 $(eval $(call OvsBinUtility,openvswitch-base,ovs-pcap,Print packets from a pcap file as hex))
-$(eval $(call OvsBinUtility,openvswitch-base,ovs-parse-backtrace,parses ovs-appctl backtrace output))

 $(eval $(call OvsBinUtility,openvswitch-ovn-base,ovn-controller,Open Virtual Network local controller))
 $(eval $(call OvsBinUtility,openvswitch-ovn-base,ovn-controller-vtep,Open Virtual Network local controller for vtep enabled physical switches,+openvswitch-vtep))
 $(eval $(call OvsBinUtility,openvswitch-ovn-base,ovn-detrace,Convert ``ovs-appctl ofproto/trace`` output to combine OVN logical flow information))
-$(eval $(call OvsBinUtility,openvswitch-ovn-base,ovn-docker-overlay-driver,OVN Docker overlay driver utility))
-$(eval $(call OvsBinUtility,openvswitch-ovn-base,ovn-docker-underlay-driver,OVN Docker underlay driver utility))
 $(eval $(call OvsBinUtility,openvswitch-ovn-base,ovn-nbctl,Open Virtual Network northbound db management utility))
 $(eval $(call OvsBinUtility,openvswitch-ovn-base,ovn-sbctl,Utility for querying and configuring OVN_Southbound data‐base))
 $(eval $(call OvsBinUtility,openvswitch-ovn-base,ovn-trace,Open Virtual Network logical network tracing utility))
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=unbound
 PKG_VERSION:=1.7.1
-PKG_RELEASE:=1
+PKG_RELEASE:=3

 PKG_LICENSE:=BSD-3-Clause
 PKG_LICENSE_FILES:=LICENSE
@@ -204,7 +204,7 @@ config unbound
    into MTU issues. Use this size in bytes to manage drop outs.

  option extended_luci '0'
-    Boolean. Extends a tab hierarchy in LuCI for advanced congfiguration.
+    Boolean. Extends a tab hierarchy in LuCI for advanced configuration.

  option extended_stats '0'
    Boolean. extended statistics are printed from unbound-control.
@@ -225,12 +225,18 @@ config unbound
    Boolean. Skip all this UCI nonsense. Manually edit the
    configuration. Make changes to /etc/unbound/unbound.conf.

+  option prefetch_root '0'
+    Boolean. Enable Unbound authority zone clauses for "." (root), "arpa,"
+    "in-addr.arpa," and "ip6.arpa" and obtain complete zone files from public
+    servers using http or AXFR (gTLD are unfortunately not as public).
+
  option protocol 'mixed'
    Unbound can limit its protocol used for recursive queries.
-    Set 'ip4_only' to avoid issues if you do not have native IP6.
-    Set 'ip6_prefer' to possibly improve performance as well as
-    not consume NAT paths for the client computers.
-    Do not use 'ip6_only' unless testing.
+    ip4_only - limit issues if you do not have native IPv6
+    ip6_only - test environment only; could cauase problems
+    ip6_prefer - both IPv4 and IPv6 but try IPv6 first
+    mixed - both IPv4 and IPv6
+    default - Unbound built-in defaults

  option query_minimize '0'
    Boolean. Enable a minor privacy option. Don't let each server know
@@ -257,15 +263,18 @@ config unbound
    3 - Plus DHCP-PD range passed down interfaces (not implemented)

  option recursion 'passive'
-    Unbound has numerous options for how it recurses. This UCI combines
-    them into "passive," "aggressive," or Unbound's own "default."
-    Passive is easy on resources, but slower until cache fills.
+    Unbound has many options for recrusion but UCI is bundled for simplicity.
+    passive - slower until cache fills but kind on CPU load
+    default - Unbound built-in defaults
+    aggressive - uses prefetching to handle more requests quickly

  option resource 'small'
-    Unbound has numerous options for resources. This UCI gives "tiny,"
-    "small," "medium," and "large." Medium is most like the compiled
-    defaults with a bit of balancing. Tiny is close to the published
-    memory restricted configuration. Small 1/2 medium, and large 2x.
+    Unbound has many options for resources but UCI is bundled for simplicity.
+    tiny - similar to published memory restricted configuration
+    small - about half of medium
+    medium - similar to default, but fixed for consistency
+    default - Unbound built-in defaults
+    large - about double of medium

  option root_age '9'
    Days. >90 Disables. Age limit for Unbound root data like root
@@ -35,6 +35,7 @@ UNBOUND_B_MAN_CONF=0
 UNBOUND_B_NTP_BOOT=1
 UNBOUND_B_QUERY_MIN=0
 UNBOUND_B_QRY_MINST=0
+UNBOUND_B_AUTH_ROOT=0

 UNBOUND_D_CONTROL=0
 UNBOUND_D_DOMAIN_TYPE=static
@@ -449,7 +450,7 @@ unbound_mkdir() {
      cp -p /usr/share/dns/root.hints $UNBOUND_HINTFILE

    elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "iterator will use built-in root hints"
+      logger -t unbound -s "default root hints (built in rootservers.net)"
    fi
  fi

@@ -463,7 +464,7 @@ unbound_mkdir() {
      $UNBOUND_ANCHOR -a $UNBOUND_KEYFILE

    elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-      logger -t unbound -s "validator will use built-in trust anchor"
+      logger -t unbound -s "default trust anchor (built in root DS record)"
    fi
  fi

@@ -605,6 +606,45 @@ unbound_forward() {

 ##############################################################################

+unbound_auth_root() {
+  local axfrservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
+  local httpserver="http://www.internic.net/domain/"
+  local authzones="root arpa in-addr.arpa ip6.arpa"
+  local server zone realzone
+  # Download or AXFR the root and arpa zones to reduce the work needed at
+  # top level of recursion. If your users will hit many ccTLD or you have
+  # tracking logs resolving many PTR, then this can speed things up.
+  # Total size of text in TMPFS could be about 5MB.
+
+
+  if [ "$UNBOUND_B_AUTH_ROOT" -gt 0 ] ; then
+    for zone in $authzones ; do
+      if [ "$zone" = "root" ] ; then
+        realzone="."
+      else
+        realzone=$zone
+      fi
+
+
+      {
+        echo "auth-zone:"
+        echo "  name: \"$realzone\""
+        for server in $axfrservers ; do
+          echo "  master: \"$server\""
+        done
+        echo "  url: \"$httpserver$zone.zone\""
+        echo "  fallback-enabled: yes"
+        echo "  for-downstream: no"
+        echo "  for-upstream: yes"
+        echo "  zonefile: \"$zone.zone\""
+        echo
+      } >> $UNBOUND_CONFFILE
+    done
+  fi
+}
+
+##############################################################################
+
 unbound_conf() {
  local rt_mem rt_conn modulestring domain ifsubnet

@@ -616,9 +656,13 @@ unbound_conf() {
    # Make fresh conf file
    echo "# $UNBOUND_CONFFILE generated by UCI $( date )"
    echo
-    # No threading
    echo "server:"
    echo "  username: unbound"
+    echo "  chroot: \"$UNBOUND_VARDIR\""
+    echo "  directory: \"$UNBOUND_VARDIR\""
+    echo "  pidfile: \"$UNBOUND_PIDFILE\""
+    echo
+    # No threading
    echo "  num-threads: 1"
    echo "  msg-cache-slabs: 1"
    echo "  rrset-cache-slabs: 1"
@@ -632,6 +676,7 @@ unbound_conf() {
    echo "  outgoing-interface: ::0"
    echo
    # Logging
+    echo "  use-syslog: yes"
    echo "  verbosity: 1"
    echo "  statistics-interval: 0"
    echo "  statistics-cumulative: no"
@@ -677,12 +722,18 @@ unbound_conf() {
      } >> $UNBOUND_CONFFILE
      ;;

-    *)
+    mixed)
      {
        echo "  do-ip4: yes"
        echo "  do-ip6: yes"
      } >> $UNBOUND_CONFFILE
      ;;
+
+    *)
+      if [ ! -f "$UNBOUND_TIMEFILE" ] ; then
+        logger -t unbound -s "default protocol configuration"
+      fi
+      ;;
  esac


@@ -708,15 +759,6 @@ unbound_conf() {
  } >> $UNBOUND_CONFFILE


-  {
-    # Default Files
-    echo "  use-syslog: yes"
-    echo "  chroot: \"$UNBOUND_VARDIR\""
-    echo "  directory: \"$UNBOUND_VARDIR\""
-    echo "  pidfile: \"$UNBOUND_PIDFILE\""
-  } >> $UNBOUND_CONFFILE
-
-
  if [ -f "$UNBOUND_HINTFILE" ] ; then
    # Optional hints if found
    echo "  root-hints: \"$UNBOUND_HINTFILE\"" >> $UNBOUND_CONFFILE
@@ -764,7 +806,7 @@ unbound_conf() {
    } >> $UNBOUND_CONFFILE

  elif [ ! -f "$UNBOUND_TIMEFILE" ] ; then
-    logger -t unbound -s "default memory resource consumption"
+    logger -t unbound -s "default memory configuration"
  fi

  # Assembly of module-config: options is tricky; order matters
@@ -803,27 +845,26 @@ unbound_conf() {
  }  >> $UNBOUND_CONFFILE


-  if [ "$UNBOUND_B_QRY_MINST" -gt 0 -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    {
-      # Some query privacy but "strict" will break some name servers
-      echo "  qname-minimisation: yes"
-      echo "  qname-minimisation-strict: yes"
-    } >> $UNBOUND_CONFFILE
-
-  elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
-    # Minor improvement on query privacy
-    echo "  qname-minimisation: yes" >> $UNBOUND_CONFFILE
-
-  else
-    echo "  qname-minimisation: no" >> $UNBOUND_CONFFILE
-  fi
-
-
  case "$UNBOUND_D_RECURSION" in
    passive)
      {
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
+          echo "  prefetch-key: no"
+        fi
+        # On demand fetching
        echo "  prefetch: no"
-        echo "  prefetch-key: no"
        echo "  target-fetch-policy: \"0 0 0 0 0\""
        echo
      } >> $UNBOUND_CONFFILE
@@ -831,8 +872,23 @@ unbound_conf() {

    aggressive)
      {
+        # Some query privacy but "strict" will break some servers
+        if [ "$UNBOUND_B_QRY_MINST" -gt 0 \
+          -a "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+          echo "  qname-minimisation-strict: yes"
+        elif [ "$UNBOUND_B_QUERY_MIN" -gt 0 ] ; then
+          echo "  qname-minimisation: yes"
+        else
+          echo "  qname-minimisation: no"
+        fi
+        # Use DNSSEC to quickly understand NXDOMAIN ranges
+        if [ "$UNBOUND_B_DNSSEC" -gt 0 ] ; then
+          echo "  aggressive-nsec: yes"
+          echo "  prefetch-key: yes"
+        fi
+        # Prefetch what can be
        echo "  prefetch: yes"
-        echo "  prefetch-key: yes"
        echo "  target-fetch-policy: \"3 2 1 0 0\""
        echo
      } >> $UNBOUND_CONFFILE
@@ -1070,6 +1126,7 @@ unbound_uci() {
  config_get_bool UNBOUND_B_MAN_CONF   "$cfg" manual_conf 0
  config_get_bool UNBOUND_B_QUERY_MIN  "$cfg" query_minimize 0
  config_get_bool UNBOUND_B_QRY_MINST  "$cfg" query_min_strict 0
+  config_get_bool UNBOUND_B_AUTH_ROOT  "$cfg" prefetch_root 0
  config_get_bool UNBOUND_B_LOCL_BLCK  "$cfg" rebind_localhost 0
  config_get_bool UNBOUND_B_DNSSEC     "$cfg" validator 0
  config_get_bool UNBOUND_B_NTP_BOOT   "$cfg" validator_ntp 1
@@ -1165,7 +1222,7 @@ unbound_uci() {

 ##############################################################################

-_resolv_setup() {
+unbound_resolv_setup() {
  if [ "$UNBOUND_N_RX_PORT" != "53" ] ; then
    return
  fi
@@ -1194,7 +1251,7 @@ _resolv_setup() {

 ##############################################################################

-_resolv_teardown() {
+unbound_resolv_teardown() {
  case $( cat /tmp/resolv.conf ) in
  *"generated by Unbound UCI"*)
    # our resolver file, reset to auto resolver file.
@@ -1209,8 +1266,6 @@ _resolv_teardown() {
 unbound_start() {
  config_load unbound
  config_foreach unbound_uci unbound
-
-
  unbound_mkdir


@@ -1229,19 +1284,18 @@ unbound_start() {


    unbound_forward
+    unbound_auth_root
    unbound_control
  fi


-  _resolv_setup
+  unbound_resolv_setup
 }

 ##############################################################################

 unbound_stop() {
-  _resolv_teardown
-
-
+  unbound_resolv_teardown
  rootzone_update
 }

@@ -15,13 +15,14 @@ config unbound
 	option listen_port '53'
 	option localservice '1'
 	option manual_conf '0'
-	option protocol 'mixed'
+	option prefetch_root '0'
+	option protocol 'default'
 	option query_minimize '0'
 	option query_min_strict '0'
 	option rebind_localhost '0'
 	option rebind_protection '1'
-	option recursion 'passive'
-	option resource 'small'
+	option recursion 'default'
+	option resource 'default'
 	option root_age '9'
 	option ttl_min '120'
 	option unbound_control '0'
@@ -6,14 +6,14 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=zerotier
-PKG_VERSION:=1.2.8
-PKG_RELEASE:=2
+PKG_VERSION:=1.2.10
+PKG_RELEASE:=1

 PKG_LICENSE:=GPL-3.0

 PKG_SOURCE_URL:=https://codeload.github.com/zerotier/ZeroTierOne/tar.gz/$(PKG_VERSION)?
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_HASH:=08e2df34550d6bb68e106eaac48babb481160046818b0944ec41f1e158548a47
+PKG_HASH:=1c79ec57e67764079a77704b336e642ae3cf221dc8088b0cf9e9c81e0a9c0c57
 PKG_BUILD_DIR:=$(BUILD_DIR)/ZeroTierOne-$(PKG_VERSION)


@@ -1,33 +0,0 @@
-From bfb1a652dbf897dc065d2a1414296eb145a2224b Mon Sep 17 00:00:00 2001
-From: Moritz Warning <moritzwarning@web.de>
-Date: Mon, 23 Apr 2018 22:31:03 +0200
-Subject: [PATCH 3/4] remove -march=armv5
-
---
- make-linux.mk | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/make-linux.mk b/make-linux.mk
-index add1d3ae..49e14f70 100644
--- a/make-linux.mk
-+++ b/make-linux.mk
-@@ -229,12 +229,12 @@ endif
- # ARM32 hell -- use conservative CFLAGS
- ifeq ($(ZT_ARCHITECTURE),3)
- 	ifeq ($(shell if [ -e /usr/bin/dpkg ]; then dpkg --print-architecture; fi),armel)
-		override CFLAGS+=-march=armv5 -mfloat-abi=soft -msoft-float -mno-unaligned-access -marm
-		override CXXFLAGS+=-march=armv5 -mfloat-abi=soft -msoft-float -mno-unaligned-access -marm
-+		override CFLAGS+=-mfloat-abi=soft -msoft-float -mno-unaligned-access -marm
-+		override CXXFLAGS+=-mfloat-abi=soft -msoft-float -mno-unaligned-access -marm
- 		ZT_USE_ARM32_NEON_ASM_CRYPTO=0
- 	else
-		override CFLAGS+=-march=armv5 -mno-unaligned-access -marm
-		override CXXFLAGS+=-march=armv5 -mno-unaligned-access -marm
-+		override CFLAGS+=-mno-unaligned-access -marm
-+		override CXXFLAGS+=-mno-unaligned-access -marm
- 	endif
- endif
- 
-- 
-2.17.0
-