On dynamic interface proto (dhcp/pppoe) the hotplug will not execude (exit 9)
because the gateway is already released. The check will now only be made
on a ifup ACTION event.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 28c8b664e4)
On some environments, connecting to localhost was resolving to ::1,
which didn't match the bind to the explicit 127.0.0.1.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Added many more UCI config options, particularly for bridge connections
The recently introduced username/password options for bridges are kept,
even though they have been deprecated upstream for a while. In keeping
with this, while support is kept in UCI, the generated mosquitto.conf
file will always generate the "modern" remote_username/remote_password
options preferred by mosquitto instead.
Likewise for bridge clientid and remote_clientid options.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Use newest acme.sh release (2.6.8).
Remove dependency on ca-certificates and add dependency on ca-bundle.
Update environment variable.
Signed-off-by: Daniel Halmschlager <da@halms.at>
Backport to 17.01 for compatibility with 17.01.2, but keep the old envvar so
it'll hopefully keep working for users who haven't upgraded.
Closes#4579, closes#4699.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This commit introduces nlbwmon, the lightweight NetLink BandWidth Montor.
The nlbwmon daemon gathers per-host traffic statistics by querying netlink
accounting data. Due to this approach, the executable is very small and does
not rely on libpcap and CPU intensive raw sockets to monitor traffic.
Besides raw per-host traffic counters, nlbwmon also support rudimentary
traffic classification by observing IP protocols and used port numbers.
Gathered accounting data is stored into a series of database files which
are regularily committed to persistent storage.
Refresh, commit and accounting intervals are freely configurable as well
as the layer7 protocol mapping rules and observed source subnets.
This package also bundles a cli client which can be used to dump the
gathered traffic data as JSON, CSV or plaintext data. A pull request to
add a graphical LuCI frontend for nlbwmon is pending.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The most important change is local redirects being disabled by default.
There is an option called cgi.local-redir that allows enabling this
optimization manually back if needed.
Local redirects were initially introduced in 1.4.40 but caused many
problems for *some* web services.
One of problems is breaking Post/Redirect/Get design pattern. With
redirects handled on server side there is no browser redirection making
it "lose" the POST data.
Another possible issue are HTML forms with action="". With CGI local
redirects browser may be sending form data to the wrong URL (the one
that was supposed to redirect the browser).
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
According to openconnect --help output:
-m, --mtu=MTU Request MTU from server
--base-mtu=MTU Indicate path MTU to/from server
Fixes#2099 by allowing setting tunnel mtu
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
It was introduced with 41f8d5465 ("openconnect: fix a couple of minor
things and add an interface option") and not needed since 4083de9d7
("openconnect: use proto_add_host_dependency")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* create /etc/vsftpd directory for extra config files
like userlist, certificate and key
* modify config file to use that directory
* include that directory in conffiles for backup
* use PKG_HASH
* update URL
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
(cherry picked from commit 3f390c5509)
Adds the "notifications" option which is important when connecting
mosquitto to rabbitmq for instance.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Earlier, PROVIDES handling was clarified for the broker and the library.
Use the same style to properly provide the -client-ssl and -client-nossl
packages.
Signed-off-by: Karl Palsson <karlp@etactica.com>
Compile tested: LEDE HEAD
If unixodbc package is present in the environment, subversion
fails to compile due to missing dependencies.
Fixes the dependency on unixodbc if unixodbc package is selected.
Signed-off-by: Val Kulkov <val.kulkov@gmail.com>
(cherry picked from commit 06a529df35)
trigger_b4_dl fails to build in the 17.01 buildbot and that causes
also three other modules to be unbuilt (userdir, usertrack, webdav).
As a quick fix, disable trigger_b4_dl to see if the three missing
modules then build ok in the buildbot.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
This reverts commit 18d7593c72.
Buildbot did not build the new version successfully due to
krb5 detection problems. Let's revert to the previous version,
so that 17.01.1 can be built in a stable way.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
cherry picked from commit 6e788aca0c
Hopefully this will fix compilation of some plugins in the 17.01 buildbot.
signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
procd interface triggers may be busy. Unbound hard restarts will
flush the cache. This might happen frequently depending on how
interface triggers occur.
Change the procd trigger to reduce occurences. Load this trigger
prior to netifd (START=20), but only truly start Unbound from
the trigger rather than immediately in init. Clean up log entries
in scripts after Unbound, NTP, and DNSSEC are established.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Unbound is configured to restart on hotplug/iface but this can result
in numerous restarts at boot. Unbound also has a restart for NTP.
This was observed to generate trouble and even with procd robustness
too many crashes might occur (rare). Unbound would not be running.
Give more care to /var/lib/unbound/root.key during restarts. Use procd
for iface restarts. Check pidof() to wait one more second for Unbound.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
options 'add_local_fqdn' and 'add_wan_fqdn' can be affected
by race conditions when they are at level 4. Interface name
may not be returned by network tools. The conf file has bad
record formats and Unbound just will not load. Detect this
and fall back to only the host FQDN (level 3).
squash: improve documentation wording and format codes.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Read UNBOUND_TXT_DOMAIN from main unbound configuration.
This prevents records to be added into Unbound in the default 'lan' zone.
Signed-off-by: Audric Schiltknecht <storm+github@chemicalstorm.org>
[RELEASE] Released version 1.7.5 due to bug in compression
Released version 1.7.5 with the following main changes :
- BUG/MEDIUM: peers: fix buffer overflow control in intdecode.
- BUG/MEDIUM: buffers: Fix how input/output data are injected into buffers
- BUG/MEDIUM: http: Fix blocked HTTP/1.0 responses when compression is enabled
- BUG/MINOR: filters: Don't force the stream's wakeup when we wait in flt_end_analyze
- DOC: fix parenthesis and add missing "Example" tags
- DOC: update the contributing file
- DOC: log-format/tcplog/httplog update
- MINOR: config parsing: add warning when log-format/tcplog/httplog is overriden in "defaults" sections
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
[RELEASE] Released version 1.7.4
Released version 1.7.4 with the following main changes :
- MINOR: config: warn when some HTTP rules are used in a TCP proxy
- BUG/MINOR: spoe: Fix soft stop handler using a specific id for spoe filters
- BUG/MINOR: spoe: Fix parsing of arguments in spoe-message section
- BUG/MEDIUM: ssl: Clear OpenSSL error stack after trying to parse OCSP file
- BUG/MEDIUM: cli: Prevent double free in CLI ACL lookup
- BUG/MINOR: Fix "get map <map> <value>" CLI command
- BUG/MAJOR: connection: update CO_FL_CONNECTED before calling the data layer
- BUG/MEDIUM: ssl: switchctx should not return SSL_TLSEXT_ERR_ALERT_WARNING
- BUG/MINOR: checks: attempt clean shutw for SSL check
- CONTRIB: tcploop: add limits.h to fix build issue with some compilers
- CONTRIB: tcploop: make it build on FreeBSD
- CONTRIB: tcploop: fix time format to silence build warnings
- CONTRIB: tcploop: report action 'K' (kill) in usage message
- CONTRIB: tcploop: fix connect's address length
- CONTRIB: tcploop: use the trash instead of NULL for recv()
- BUG/MEDIUM: listener: do not try to rebind another process' socket
- BUG/MEDIUM: filters: Fix channels synchronization in flt_end_analyze
- BUG/MAJOR: stream-int: do not depend on connection flags to detect connection
- BUG/MEDIUM: connection: ensure to always report the end of handshakes
- BUG: payload: fix payload not retrieving arbitrary lengths
- BUG/MAJOR: http: fix typo in http_apply_redirect_rule
- MINOR: doc: 2.4. Examples should be 2.5. Examples
- BUG/MEDIUM: stream: fix client-fin/server-fin handling
- MINOR: fd: add a new flag HAP_POLL_F_RDHUP to struct poller
- BUG/MINOR: raw_sock: always perfom the last recv if RDHUP is not available
- DOC/MINOR: Fix typos in proxy protocol doc
- DOC: Protocol doc: add checksum, TLV type ranges
- DOC: Protocol doc: add SSL TLVs, rename CHECKSUM
- DOC: Protocol doc: add noop TLV
- MEDIUM: global: add a 'hard-stop-after' option to cap the soft-stop time
- BUG/MINOR: cfgparse: loop in tracked servers lists not detected by check_config_validity().
- MINOR: server: irrelevant error message with 'default-server' config file keyword.
- MINOR: doc: fix use-server example (imap vs mail)
- BUG/MEDIUM: tcp: don't require privileges to bind to device
- BUILD: make the release script use shortlog for the final changelog
- BUILD: scripts: fix typo in announce-release error message
Signed-off-by: Thomas Heil <heil@terminal-consulting.de>
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Original commit messages:
adblock: update 2.3.2
* optimize memory consumption &
enable overall sort only on devices with > 64MB RAM,
this prevents sort related kernel dumps
(cherry picked from commit 8c5b9a0802)
adblock: release 2.4.0
* add tld compression,
this new "top level domain compression" removes up to 40 thousand
needless host entries from the block lists and
lowers the memory footprint for the dns backends by 8-10 MByte
* optimize restart behavior in case of an error
* cosmetics
(cherry picked from commit ed470f0dcc)
adblock: release 2.4.0 (release 2)
* add missing sort step if tld compression was disabled
(cherry picked from commit b3b9972eac)
Unbound UCI tries to protect embedded flash from excess
use. Unbound RFC5011 KSK tracking can rewrite root.key
every few minutes to an hour. It also writes and destroys
files in the same directory during the process.
Recommended UCI delays for copying busy work in /var/
back to /etc/ may be too conservative. These are all
changed from 28 to 9 days.
The RFC5011 KSK results were also destroyed by an
init.d restart, even if /var/ is mounted on persistent
storage like USB drive. /var/lib/unbound/root.key is
now preserved during this process, unless a newer key
is installed in /etc/ manually or package update.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
When for example 'package/net/adblock' and DNSSEC vs NTP robustness
is enabled, significant restart thrashing can occur at boot up. DHCP
lease triggers may be occuring at the same time. Unbounds DNS-DHCP
may be incomplete until new DHCP solicit events. Solve this by
leaving a passive but complete host conf file during lease trigger.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
Bug fix dhcp4_slaac6 option was adding to all IP6 routes.
Filtering was added to this process to only include addresses
served from "this dhcp interface."
adblock 2.3.0 file output is now detected and automatically
integrated into Unbound local-zones. adblock deposites its
block site zone-files into /var/lib/unbound. If this is not
desired, then disable adblock or reconfigure to avoid Unbound.
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
To have service working nicely with procd it should be running in the
foreground. Otherwise it's not possible to e.g. stop it with the init.d
script. Luckily for us pptpd has a simple switch that allows it.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Fixes: 15e7f611af ("pptpd: convert init script to procd")
This fixes upstream regression introduced in 1.4.40. It was reported &
debugged in https://redmine.lighttpd.net/issues/2793
This fix is queued for 1.4.46 in the personal/gstrauss/master upstream
branch.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Update to 1.4.42 introduced a problem with starting lighttpd as
OpenWrt/LEDE service. It was stopping whole init process at sth like:
783 root 1124 S {S50lighttpd} /bin/sh /etc/rc.common /etc/rc.d/S50lighttpd boot
799 root 1164 S /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
It was hanging until getting random pool:
[ 176.340007] random: nonblocking pool is initialized
and then immediately the rest of init process followed:
[ 176.423475] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[ 176.430754] jffs2_build_filesystem(): unlocking the mtd device... done.
[ 176.437615] jffs2_build_filesystem(): erasing all blocks after the end marker... done.
This was fixed in 1.4.44, but bump directly to 1.4.45 while at it.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* various optimizations & corner case fixes
* removed no longer needed debug information
* polished up for forthcoming LEDE release ;-)
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 5cf40c94ee)
According to the snmpd.conf man page, the engineID of an snmp agent
should be consistent through time. However, it seems that the engineID
changes every reboot. Add options to configure how the engineID is
generated. The default setting generates it based on the MAC address of
the eth0 interface.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>