define KernelPackage/macremapper
SUBMENU:=Network Support
URL:=https://www.edgewaterwireless.com
- VERSION:=$(LINUX_VERSION)-$(BOARD)-$(PKG_RELEASE)
TITLE:=Dual Channel Wi-Fi macremapper Module
DEPENDS:= +kmod-cfg80211 +kmod-br-netfilter
FILES:=$(PKG_BUILD_DIR)/kernelmod/$(PKG_NAME).$(LINUX_KMOD_SUFFIX)
include $(INCLUDE_DIR)/kernel.mk
PKG_NAME:=mtd-rw
-PKG_VERSION:=git-20160214
-PKG_RELEASE:=2
+PKG_RELEASE:=1
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_MIRROR_HASH:=c44db17c3e05079116a1704f277642c9ce6f5ca4fa380c60f7e6d44509dc16be
-PKG_SOURCE_URL:=https://github.com/jclehner/mtd-rw.git
PKG_SOURCE_PROTO:=git
-PKG_SOURCE_SUBDIR=$(PKG_NAME)-$(PKG_VERSION)
-PKG_SOURCE_VERSION:=7e8562067d6a366c8cbaa8084396c33b7e12986b
+PKG_SOURCE_URL:=https://github.com/jclehner/mtd-rw
+PKG_SOURCE_DATE:=2021-02-28
+PKG_SOURCE_VERSION:=e87767395a6d27380196702f5f7bf98e92774f3f
+PKG_MIRROR_HASH:=984218d7a8e1252419c45ef313f23fb6e5edfa83088f68a4a356b795444ab381
PKG_MAINTAINER:=Joseph C. Lehner <joseph.c.lehner@gmail.com>
PKG_LICENSE=GPL-2.0
+++ /dev/null
---- a/mtd-rw.c
-+++ b/mtd-rw.c
-@@ -54,7 +54,11 @@ MODULE_PARM_DESC(i_want_a_brick, "Make a
-
- static int set_writeable(unsigned n, bool w)
- {
-+#ifndef CONFIG_MTD
-+ struct mtd_info *mtd = -ENOSYS;
-+#else
- struct mtd_info *mtd = get_mtd_device(NULL, n);
-+#endif
- int err;
-
- if (IS_ERR(mtd)) {
-@@ -76,7 +80,9 @@ static int set_writeable(unsigned n, boo
- err = 0;
- }
-
-+#ifdef CONFIG_MTD
- put_mtd_device(mtd);
-+#endif
- return err;
- }
-
include $(TOPDIR)/rules.mk
PKG_NAME:=erlang
-PKG_VERSION:=26.2.3
+PKG_VERSION:=26.2.4
PKG_RELEASE:=1
PKG_SOURCE:=otp_src_$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/erlang/otp/releases/download/OTP-$(PKG_VERSION)
-PKG_HASH:=2c4e61b24fb1c131d9f30cfe2415320899180debdb71fb59195c72bd9a4ab625
+PKG_HASH:=b51ad69f57e2956dff4c893bcb09ad68fee23a7f8f6bba7d58449516b696de95
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE.txt
define Package/erlang
$(call Package/erlang/Default)
DEPENDS+= +libncurses +librt +zlib +libstdcpp
- PROVIDES:= erlang-erts=14.2.3 erlang-kernel=9.2.2 erlang-sasl=4.2.1 erlang-stdlib=5.2.1
+ PROVIDES:= erlang-erts=14.2.4 erlang-kernel=9.2.3 erlang-sasl=4.2.1 erlang-stdlib=5.2.2
endef
define Package/erlang/description
define Package/erlang-asn1
$(call Package/erlang/Default)
TITLE:=Abstract Syntax Notation One (ASN.1) support
- VERSION:=5.2.1
+ VERSION:=5.2.2
DEPENDS+= +erlang +erlang-syntax-tools
endef
define Package/erlang-compiler
$(call Package/erlang/Default)
TITLE:=Byte code compiler
- VERSION:=8.4.2
+ VERSION:=8.4.3
DEPENDS+= +erlang
endef
define Package/erlang-crypto
$(call Package/erlang/Default)
TITLE:=Cryptography support
- VERSION:=5.4.1
+ VERSION:=5.4.2
DEPENDS+= +erlang +libopenssl
endef
define Package/erlang-ssh
$(call Package/erlang/Default)
TITLE:=Secure Shell (SSH) support
- VERSION:=5.1.3
+ VERSION:=5.1.4
DEPENDS+= +erlang +erlang-crypto
endef
define Package/erlang-ssl
$(call Package/erlang/Default)
TITLE:=Secure Sockets Layer (SSL) support
- VERSION:=11.1.2
+ VERSION:=11.1.3
DEPENDS+= +erlang +erlang-crypto
endef
include $(TOPDIR)/rules.mk
PKG_NAME:=lua-eco
-PKG_VERSION:=3.3.0
+PKG_VERSION:=3.4.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL=https://github.com/zhaojh329/lua-eco/releases/download/v$(PKG_VERSION)
-PKG_HASH:=597c3edbb20c35f638b26b4fa7a02638c48f96f0330758a7ac1c44079b2170a3
+PKG_HASH:=c45c21c4531f6205f775865da1587fb6185705308b67834ac6f7990e83f482ec
PKG_MAINTAINER:=Jianhui Zhao <zhaojh329@gmail.com>
PKG_LICENSE:=MIT
PKG_VERSION:=1.5.1
PKG_RELEASE:=1
-PKG_SOURCE:=$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/lunarmodules/luaexpat/archive/refs/tags
-PKG_HASH:=7d455f154de59eb0b073c3620bc8b873f7f697b3f21a112e6ff8dc9fca6d0826
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=$(PKG_VERSION)
+PKG_SOURCE_URL:=https://github.com/lunarmodules/luaexpat
+PKG_MIRROR_HASH:=7e370d47e947a1acfeb4d00df012f47116fe7971f5b12033e92666e37a9312a1
PKG_CPE_ID:=cpe:/a:matthewwild:luaexpat
PKG_VERSION:=3.1.0
PKG_RELEASE:=1
-PKG_SOURCE:=v$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/lunarmodules/luasocket/archive/refs/tags
-PKG_HASH:=bf033aeb9e62bcaa8d007df68c119c966418e8c9ef7e4f2d7e96bddeca9cca6e
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_SOURCE_URL:=https://github.com/lunarmodules/luasocket
+PKG_MIRROR_HASH:=1ee81f1f5a63d0d14c8c8571e8940604cbf1443c3b18ee7d3d1bac6791f853fc
PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>
PKG_LICENSE:=MIT
include $(TOPDIR)/rules.mk
PKG_NAME:=node
-PKG_VERSION:=v20.12.1
+PKG_VERSION:=v20.12.2
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION)
-PKG_HASH:=b9bef0314e12773ef004368ee56a2db509a948d4170b9efb07441bac1f1407a0
+PKG_HASH:=bc57ee721a12cc8be55bb90b4a9a2f598aed5581d5199ec3bd171a4781bfecda
PKG_MAINTAINER:=Hirokazu MORIKAWA <morikw2@gmail.com>, Adrian Panella <ianchi74@outlook.com>
PKG_LICENSE:=MIT
PKG_NAME:=perl
PKG_VERSION:=$(PERL_VERSION)
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE_URL:=https://www.cpan.org/src/5.0
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
--- /dev/null
+From 002d6666a3ed5bc9c360c1f91116ebbf0c5ef57c Mon Sep 17 00:00:00 2001
+From: Georgi Valkov <gvalkov@gmail.com>
+Date: Sat, 20 Apr 2024 16:18:37 +0300
+Subject: [PATCH] revert 88efce38149481334db7ddb932f9b74eaaa9765b
+
+Signed-off-by: Georgi Valkov <gvalkov@gmail.com>
+---
+ Makefile.SH | 35 ++---------------------------------
+ installperl | 25 -------------------------
+ 2 files changed, 2 insertions(+), 58 deletions(-)
+
+--- a/Makefile.SH
++++ b/Makefile.SH
+@@ -61,16 +61,8 @@ true)
+ -compatibility_version \
+ ${api_revision}.${api_version}.${api_subversion} \
+ -current_version \
+- ${revision}.${patchlevel}.${subversion}"
+- case "$osvers" in
+- 1[5-9]*|[2-9]*)
+- shrpldflags="$shrpldflags -install_name `pwd`/\$@ -Xlinker -headerpad_max_install_names"
+- exeldflags="-Xlinker -headerpad_max_install_names"
+- ;;
+- *)
+- shrpldflags="$shrpldflags -install_name \$(shrpdir)/\$@"
+- ;;
+- esac
++ ${revision}.${patchlevel}.${subversion} \
++ -install_name \$(shrpdir)/\$@"
+ ;;
+ cygwin*)
+ shrpldflags="$shrpldflags -Wl,--out-implib=libperl.dll.a"
+@@ -353,14 +345,6 @@ MANIFEST_SRT = MANIFEST.srt
+
+ !GROK!THIS!
+
+-case "$useshrplib$osname" in
+-truedarwin)
+- $spitshell >>$Makefile <<!GROK!THIS!
+-PERL_EXE_LDFLAGS=$exeldflags
+-!GROK!THIS!
+- ;;
+-esac
+-
+ $spitshell >>$Makefile <<!GROK!THIS!
+ # Macros to invoke a copy of our fully operational perl during the build.
+ PERL_EXE = perl\$(EXE_EXT)
+@@ -1040,20 +1024,6 @@ $(PERL_EXE): $& $(perlmain_dep) $(LIBPER
+ $(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(LLIBPERL) $(static_ext) `cat ext.libs` $(libs)
+ !NO!SUBS!
+ ;;
+-
+- darwin)
+- case "$useshrplib$osvers" in
+- true1[5-9]*|true[2-9]*) $spitshell >>$Makefile <<'!NO!SUBS!'
+- $(SHRPENV) $(CC) -o perl $(PERL_EXE_LDFLAGS) $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs)
+-!NO!SUBS!
+- ;;
+- *) $spitshell >>$Makefile <<'!NO!SUBS!'
+- $(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs)
+-!NO!SUBS!
+- ;;
+- esac
+- ;;
+-
+ *) $spitshell >>$Makefile <<'!NO!SUBS!'
+ $(SHRPENV) $(CC) -o perl $(CLDFLAGS) $(CCDLFLAGS) $(perlmain_objs) $(static_ext) $(LLIBPERL) `cat ext.libs` $(libs)
+ !NO!SUBS!
+--- a/installperl
++++ b/installperl
+@@ -282,7 +282,6 @@ else {
+ safe_unlink("$installbin/$perl_verbase$ver$exe_ext");
+ copy("perl$exe_ext", "$installbin/$perl_verbase$ver$exe_ext");
+ strip("$installbin/$perl_verbase$ver$exe_ext");
+- fix_dep_names("$installbin/$perl_verbase$ver$exe_ext");
+ chmod(0755, "$installbin/$perl_verbase$ver$exe_ext");
+ `chtag -r "$installbin/$perl_verbase$ver$exe_ext"` if ($^O eq 'os390');
+ }
+@@ -350,7 +349,6 @@ foreach my $file (@corefiles) {
+ if (copy_if_diff($file,"$installarchlib/CORE/$file")) {
+ if ($file =~ /\.(\Q$so\E|\Q$dlext\E)$/) {
+ strip("-S", "$installarchlib/CORE/$file") if $^O eq 'darwin';
+- fix_dep_names("$installarchlib/CORE/$file");
+ chmod($SO_MODE, "$installarchlib/CORE/$file");
+ } else {
+ chmod($NON_SO_MODE, "$installarchlib/CORE/$file");
+@@ -749,27 +747,4 @@ sub strip
+ }
+ }
+
+-sub fix_dep_names {
+- my $file = shift;
+-
+- $^O eq "darwin" && $Config{osvers} =~ /^(1[5-9]|[2-9])/
+- && $Config{useshrplib}
+- or return;
+-
+- my @opts;
+- my $so = $Config{so};
+- my $libperl = "$Config{archlibexp}/CORE/libperl.$Config{so}";
+- if ($file =~ /\blibperl.\Q$Config{so}\E$/a) {
+- push @opts, -id => $libperl;
+- }
+- else {
+- push @opts, -change => getcwd . "/libperl.$so", $libperl;
+- }
+- push @opts, $file;
+-
+- $opts{verbose} and print " install_name_tool @opts\n";
+- system "install_name_tool", @opts
+- and die "Cannot update $file dependency paths\n";
+-}
+-
+ # ex: set ts=8 sts=4 sw=4 et:
include $(TOPDIR)/rules.mk
PKG_NAME:=php
-PKG_VERSION:=8.3.4
+PKG_VERSION:=8.3.6
PKG_RELEASE:=1
PKG_MAINTAINER:=Michael Heimpold <mhei@heimpold.de>
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://www.php.net/distributions/
-PKG_HASH:=39a337036a546e5c28aea76cf424ac172db5156bd8a8fd85252e389409a5ba63
+PKG_HASH:=53c8386b2123af97626d3438b3e4058e0c5914cb74b048a6676c57ac647f5eae
PKG_BUILD_PARALLEL:=1
PKG_BUILD_FLAGS:=no-mips16
include $(TOPDIR)/rules.mk
PKG_NAME:=django-restframework
-PKG_VERSION:=3.14.0
+PKG_VERSION:=3.15.1
PKG_RELEASE:=1
PYPI_NAME:=djangorestframework
-PKG_HASH:=579a333e6256b09489cbe0a067e66abe55c6595d8926be6b99423786334350c8
+PKG_HASH:=f88fad74183dfc7144b2756d0d2ac716ea5b4c7c9840995ac3bfd8ec034333c1
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
PKG_LICENSE:=BSD-3-Clause
include $(TOPDIR)/rules.mk
PKG_NAME:=django
-PKG_VERSION:=5.0.3
+PKG_VERSION:=5.0.4
PKG_RELEASE:=1
PYPI_NAME:=Django
-PKG_HASH:=5fb37580dcf4a262f9258c1f4373819aacca906431f505e4688e37f3a99195df
+PKG_HASH:=4bd01a8c830bb77a8a3b0e7d8b25b887e536ad17a81ba2dce5476135c73312bd
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>, Peter Stadler <peter.stadler@student.uibk.ac.at>
PKG_LICENSE:=BSD-3-Clause
include $(TOPDIR)/rules.mk
PKG_NAME:=python-cython
-PKG_VERSION:=3.0.7
+PKG_VERSION:=3.0.10
PKG_RELEASE:=1
PYPI_NAME:=Cython
-PKG_HASH:=fb299acf3a578573c190c858d49e0cf9d75f4bc49c3f24c5a63804997ef09213
+PKG_HASH:=dcc96739331fb854dcf503f94607576cfe8488066c61ca50dfd55836f132de99
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE.txt
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE.rst
PKG_CPE_ID:=cpe:/a:pocoo:jinja2
+HOST_BUILD_DEPENDS:= python-markupsafe/host
include ../pypi.mk
include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/host-build.mk
include ../python3-package.mk
+include ../python3-host-build.mk
define Package/python3-jinja2
SECTION:=lang
$(eval $(call Py3Package,python3-jinja2))
$(eval $(call BuildPackage,python3-jinja2))
$(eval $(call BuildPackage,python3-jinja2-src))
+$(eval $(call HostBuild))
include $(TOPDIR)/rules.mk
PKG_NAME:=python-lxml
-PKG_VERSION:=5.1.0
+PKG_VERSION:=5.2.1
PKG_RELEASE:=1
PYPI_NAME:=lxml
-PKG_HASH:=3eea6ed6e6c918e468e693c41ef07f3c3acc310b70ddd9cc72d9ef84bc9564ca
+PKG_HASH:=3f7765e69bbce0906a7c74d5fe46d2c7a7596147318dbc08e4a2431f3060e306
PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSES.txt
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
PKG_CPE_ID:=cpe:/a:lxml:lxml
+PKG_BUILD_DEPENDS:=python-cython/host
+
include ../pypi.mk
include $(INCLUDE_DIR)/package.mk
include ../python3-package.mk
PKG_CPE_ID:=cpe:/a:pyyaml:pyyaml
PKG_BUILD_DEPENDS:=python-cython/host
+HOST_BUILD_DEPENDS:=python-cython/host
include ../pypi.mk
include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/host-build.mk
include ../python3-package.mk
+include ../python3-host-build.mk
define Package/python3-yaml
SECTION:=lang
$(eval $(call Py3Package,python3-yaml))
$(eval $(call BuildPackage,python3-yaml))
$(eval $(call BuildPackage,python3-yaml-src))
+$(eval $(call HostBuild))
PKG_NAME:=gost_engine
PKG_VERSION:=3.0.3
-PKG_HASH:=8cf888333d08b8bbcc12e4e8c0d8b258c74dbd67941286ffbcc648c6d3d66735
-PKG_LICENSE:=Apache-2.0
-PKG_RELEASE:=9
+PKG_RELEASE:=10
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/gost-engine/engine/archive/v$(PKG_VERSION)
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_SOURCE_URL:=https://github.com/gost-engine/engine
+PKG_MIRROR_HASH:=ad88b0bc4ede265bc91757f0bb9777a381f8e271faa43992a054ddd5f435ad88
PKG_MAINTAINER:=Artur Petrov <github@phpchain.ru>
+PKG_LICENSE:=Apache-2.0
+PKG_LICENSE_FILES:=LICENSE
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
-PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
-PKG_INSTALL:=
-
define Package/gost_engine/Default
$(call Package/openssl/engine/Default)
TITLE:=GOST engine for OpenSSL
$(call Package/gost_engine/Default)
SECTION:=utils
CATEGORY:=Utilities
- DEPENDS:=libopenssl-gost_engine
+ DEPENDS:=+libopenssl-gost_engine
TITLE+= (utilities)
endef
CMAKE_OPTIONS += -DOPENSSL_ENGINES_DIR=/usr/lib/$(ENGINES_DIR)
define Package/libopenssl-gost_engine/install
- $(INSTALL_DIR) $(1)/usr/lib/$(ENGINES_DIR) $(1)/etc/ssl/engines.cnf.d
- $(INSTALL_DATA) $(PKG_BUILD_DIR)/bin/gost.so \
+ $(INSTALL_DIR) $(1)/usr/lib $(1)/usr/lib/$(ENGINES_DIR) $(1)/etc/ssl/engines.cnf.d
+ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/libgost.so \
+ $(1)/usr/lib/
+ $(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/lib/$(ENGINES_DIR)/gost.so \
$(1)/usr/lib/$(ENGINES_DIR)/
$(INSTALL_DATA) ./files/gost.cnf $(1)/etc/ssl/engines.cnf.d/
endef
define Package/gost_engine-util/install
$(INSTALL_DIR) $(1)/usr/bin
- $(INSTALL_BIN) $(PKG_BUILD_DIR)/bin/{gost12sum,gostsum} \
+ $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/{gost12sum,gostsum} \
$(1)/usr/bin/
endef
SECTION:=libs
TITLE:=Gperftools Headers
URL:=https://github.com/gperftools/gperftools
- DEPENDS:= @!mips @!mipsel @!powerpc
+ DEPENDS:= @!(mips||mips64||mipsel||powerpc)
endef
define Package/gperftools-runtime
CATEGORY:=Libraries
TITLE:=Gperftools Runtime
URL:=https://github.com/gperftools/gperftools
- DEPENDS:= +libunwind +libstdcpp @!mips @!mipsel @!powerpc
+ DEPENDS:= +libunwind +libstdcpp @!(mips||mips64||mipsel||powerpc)
endef
define Package/gperftools-headers/description
PKG_NAME:=ibrcommon
PKG_VERSION:=1.0.1
-PKG_RELEASE:=9
+PKG_RELEASE:=10
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.ibr.cs.tu-bs.de/projects/ibr-dtn/releases
--- a/ibrcommon/data/File.cpp
+++ b/ibrcommon/data/File.cpp
-@@ -35,9 +35,7 @@
+@@ -35,10 +35,6 @@
#include <cerrno>
#include <fstream>
-#if !defined(HAVE_FEATURES_H) || defined(ANDROID)
- #include <libgen.h>
+-#include <libgen.h>
-#endif
-
+-
#ifdef __WIN32__
#include <io.h>
-@@ -226,7 +224,7 @@ namespace ibrcommon
+ #define FILE_DELIMITER_CHAR '\\'
+@@ -225,14 +221,11 @@ namespace ibrcommon
+
std::string File::getBasename() const
{
- #if !defined(ANDROID) && defined(HAVE_FEATURES_H)
+-#if !defined(ANDROID) && defined(HAVE_FEATURES_H)
- return std::string(basename(_path.c_str()));
-+ return std::string(basename((char *)_path.c_str()));
- #else
- char path[_path.length()+1];
- ::memcpy(&path, _path.c_str(), _path.length()+1);
+-#else
+- char path[_path.length()+1];
+- ::memcpy(&path, _path.c_str(), _path.length()+1);
+-
+- return std::string(basename(path));
+-#endif
++ size_t found = _path.find_last_of('/');
++ if (found != std::string::npos)
++ return _path.substr(found + 1);
++ else
++ return _path;
+ }
+
+ File File::get(const std::string &filename) const
--- /dev/null
+From 47c3850cddd63cebd9dc48e411963314449118f1 Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Sun, 31 Dec 2023 19:16:35 -0800
+Subject: [PATCH] mraa: Use posix basename
+
+Musl has removed the declaration from string.h [1] which exposes the
+problem especially with clang-17+ compiler where implicit function
+declaration is flagged as error. Use posix basename and make a copy of
+string to operate on to emulate GNU basename behaviour.
+
+[1] https://git.musl-libc.org/cgit/musl/commit/?id=725e17ed6dff4d0cd22487bb64470881e86a92e7
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ src/mraa.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/src/mraa.c
++++ b/src/mraa.c
+@@ -12,6 +12,7 @@
+ #endif
+
+ #include <dlfcn.h>
++#include <libgen.h>
+ #include <pwd.h>
+ #include <sched.h>
+ #include <stddef.h>
+@@ -338,9 +339,11 @@ static int
+ mraa_count_iio_devices(const char* path, const struct stat* sb, int flag, struct FTW* ftwb)
+ {
+ // we are only interested in files with specific names
+- if (fnmatch(IIO_DEVICE_WILDCARD, basename(path), 0) == 0) {
++ char* tmp = strdup(path);
++ if (fnmatch(IIO_DEVICE_WILDCARD, basename(tmp), 0) == 0) {
+ num_iio_devices++;
+ }
++ free(tmp);
+ return 0;
+ }
+
include $(TOPDIR)/rules.mk
PKG_NAME:=libssh
-PKG_VERSION:=0.10.4
-PKG_RELEASE:=2
+PKG_VERSION:=0.10.6
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://www.libssh.org/files/0.10/
-PKG_HASH:=07392c54ab61476288d1c1f0a7c557b50211797ad00c34c3af2bbc4dbc4bd97d
+PKG_HASH:=1861d498f5b6f1741b6abc73e608478491edcf9c9d4b6630eef6e74596de9dc1
PKG_MAINTAINER:=Mislav Novakovic <mislav.novakovic@sartura.hr>
PKG_LICENSE:=LGPL-2.1-or-later BSD-2-Clause
--- /dev/null
+--- a/cmake/Modules/FindMbedTLS.cmake
++++ b/cmake/Modules/FindMbedTLS.cmake
+@@ -34,7 +34,7 @@ set(_MBEDTLS_ROOT_HINTS_AND_PATHS
+
+ find_path(MBEDTLS_INCLUDE_DIR
+ NAMES
+- mbedtls/config.h
++ mbedtls/version.h
+ HINTS
+ ${_MBEDTLS_ROOT_HINTS_AND_PATHS}
+ PATH_SUFFIXES
+@@ -72,7 +72,13 @@ find_library(MBEDTLS_X509_LIBRARY
+ set(MBEDTLS_LIBRARIES ${MBEDTLS_SSL_LIBRARY} ${MBEDTLS_CRYPTO_LIBRARY}
+ ${MBEDTLS_X509_LIBRARY})
+
+-if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
++if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")
++ file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h" _mbedtls_version_str REGEX
++ "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
++
++ string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+.[0-9]+.[0-9]+).*"
++ "\\1" MBEDTLS_VERSION "${_mbedtls_version_str}")
++elseif (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
+ file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" _mbedtls_version_str REGEX
+ "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
+
+@@ -93,7 +99,7 @@ if (MBEDTLS_VERSION)
+ in the system variable MBEDTLS_ROOT_DIR"
+ )
+ else (MBEDTLS_VERSION)
+- find_package_handle_standard_args(MBedTLS
++ find_package_handle_standard_args(MbedTLS
+ "Could NOT find mbedTLS, try to set the path to mbedLS root folder in
+ the system variable MBEDTLS_ROOT_DIR"
+ MBEDTLS_INCLUDE_DIR
+--- a/src/libmbedcrypto.c
++++ b/src/libmbedcrypto.c
+@@ -118,8 +118,14 @@ int hmac_update(HMACCTX c, const void *d
+
+ int hmac_final(HMACCTX c, unsigned char *hashmacbuf, size_t *len)
+ {
++ const mbedtls_md_info_t *md_info;
+ int rc;
+- *len = (unsigned int)mbedtls_md_get_size(c->md_info);
++#if MBEDTLS_VERSION_MAJOR >= 3
++ md_info = mbedtls_md_info_from_ctx(c);
++#else
++ md_info = c->md_info;
++#endif
++ *len = (unsigned int)mbedtls_md_get_size(md_info);
+ rc = !mbedtls_md_hmac_finish(c, hashmacbuf);
+ mbedtls_md_free(c);
+ SAFE_FREE(c);
include $(TOPDIR)/rules.mk
PKG_NAME:=libwebp
-PKG_VERSION:=1.3.2
+PKG_VERSION:=1.4.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://storage.googleapis.com/downloads.webmproject.org/releases/webp
-PKG_HASH:=2a499607df669e40258e53d0ade8035ba4ec0175244869d1025d460562aa09b4
+PKG_HASH:=61f873ec69e3be1b99535634340d5bde750b2e4447caa1db9f61be3fd49ab1e5
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
PKG_LICENSE:=BSD-3-Clause
include $(TOPDIR)/rules.mk
PKG_NAME:=mtdev
-PKG_VERSION:=1.1.6
-PKG_RELEASE:=2
+PKG_VERSION:=1.1.7
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://bitmath.org/code/mtdev/
-PKG_HASH:=15d7b28da8ac71d8bc8c9287c2045fd174267bc740bec10cfda332dc1204e0e0
+PKG_HASH:=a107adad2101fecac54ac7f9f0e0a0dd155d954193da55c2340c97f2ff1d814e
PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>
PKG_LICENSE:=MIT
include $(TOPDIR)/rules.mk
PKG_NAME:=nghttp2
-PKG_VERSION:=1.57.0
+PKG_VERSION:=1.61.0
PKG_RELEASE:=1
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/nghttp2/nghttp2/releases/download/v$(PKG_VERSION)
-PKG_HASH:=9210b0113109f43be526ac5835d58a701411821a4d39e155c40d67c40f47a958
+PKG_HASH:=aa7594c846e56a22fbf3d6e260e472268808d3b49d5e0ed339f589e9cc9d484c
PKG_MAINTAINER:=Hans Dedecker <dedeckeh@gmail.com>
PKG_LICENSE:=MIT
include $(TOPDIR)/rules.mk
PKG_NAME:=imagemagick
-PKG_VERSION:=7.1.1.30
+PKG_VERSION:=7.1.1.31
PKG_RELEASE:=1
PKG_MAINTAINER:=Aleksey Vasilenko <aleksey.vasilenko@gmail.com>
PKG_SOURCE:=ImageMagick-$(_PKGREV).tar.xz
PKG_SOURCE_URL:=https://imagemagick.org/archive
-PKG_HASH:=ec192780d09da7d7b1e7a374a19f97d69cceb4e5e83057515cd595eda233a891
+PKG_HASH:=7e5c8db53dd90a0cfc5cc7ca6d34728ed86054b4bc86e9787902285fec1107a8
PKG_BUILD_DIR:=$(BUILD_DIR)/ImageMagick-$(_PKGREV)
PKG_FIXUP:=autoreconf
PKG_NAME:=adblock-fast
PKG_VERSION:=1.1.1
-PKG_RELEASE:=r7
+PKG_RELEASE:=r8
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
PKG_LICENSE:=GPL-3.0-or-later
#!/bin/sh
# check if we are on real system
if [ -z "$${IPKG_INSTROOT}" ]; then
- echo "Stopping service and removing rc.d symlink for adblock-fast"
- /etc/init.d/adblock-fast stop || true
- /etc/init.d/adblock-fast killcache || true
- /etc/init.d/adblock-fast disable || true
+ echo -n "Stopping adblock-fast service... "
+ { /etc/init.d/adblock-fast stop && \
+ /etc/init.d/adblock-fast killcache; } >/dev/null 2>&1 && echo "OK" || echo "FAIL"
+ echo -n "Removing rc.d symlink for adblock-fast... "
+ /etc/init.d/adblock-fast disable >/dev/null 2>&1 && echo "OK" || echo "FAIL"
fi
exit 0
endef
include $(TOPDIR)/rules.mk
PKG_NAME:=adguardhome
-PKG_VERSION:=0.107.42
+PKG_VERSION:=0.107.48
PKG_RELEASE:=1
PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=v$(PKG_VERSION)
PKG_SOURCE_URL:=https://github.com/AdguardTeam/AdGuardHome
-PKG_MIRROR_HASH:=9bcca421f5069d73cf2b5b8b70b0f3768b8757de42dca461f9ea6f25d01b5c56
+PKG_MIRROR_HASH:=74d53a1fffeb5c24db536efadc92eeab2d8978277e513a98e630d2a3f7d142f6
PKG_LICENSE:=GPL-3.0-only
PKG_LICENSE_FILES:=LICENSE.txt
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
-PKG_VERSION:=0.9.4
-PKG_RELEASE:=3
+PKG_VERSION:=0.9.5
+PKG_RELEASE:=2
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
| antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| asn | ASN segments | | | x | tcp: 80, 443 | [Link](https://asn.ipinfo.app) |
| backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) |
+| becyber | malicious attacker IPs | x | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) |
| binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) |
| bogon | bogon prefixes | x | x | | | [Link](https://team-cymru.com) |
| bruteforceblock | bruteforceblocker IPs | x | x | | | [Link](https://danger.rulez.sk/index.php/bruteforceblocker/) |
| country | country blocks | x | x | | | [Link](https://www.ipdeny.com/ipblocks) |
| cinsscore | suspicious attacker IPs | x | x | | | [Link](https://cinsscore.com/#list) |
-| darklist | blocks suspicious attacker IPs | x | x | | | [Link](https://darklist.de) |
| debl | fail2ban IP blacklist | x | x | | | [Link](https://www.blocklist.de) |
| doh | public DoH-Provider | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | spamhaus drop compilation | x | x | | | [Link](https://www.spamhaus.org) |
| greensnow | suspicious server IPs | x | x | | | [Link](https://greensnow.co) |
| iblockads | Advertising IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware IPs | | | x | tcp: 80, 443 | [Link](https://www.iblocklist.com) |
-| ipblackhole | blackhole IPs | x | x | | | [Link](https://ip.blackhole.monster) |
+| ipsum | malicious IPs | x | x | | | [Link](https://github.com/stamparm/ipsum) |
| ipthreat | hacker and botnet TPs | x | x | | | [Link](https://ipthreat.net) |
| myip | real-time IP blocklist | x | x | | | [Link](https://myip.ms) |
| nixspam | iX spam protection | x | x | | | [Link](http://www.nixspam.org) |
| oisdbig | OISD-big IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdnsfw | OISD-nsfw IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdsmall | OISD-small IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
-| proxy | open proxies | x | | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
+| pallebone | curated IP blocklist | x | x | | | [Link](https://github.com/pallebone/StrictBlockPAllebone) |
+| proxy | open proxies | x | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IPs | x | x | | | [Link](https://sslbl.abuse.ch) |
| stevenblack | stevenblack IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| talos | talos IPs | x | x | | | [Link](https://talosintelligence.com/reputation_center) |
* Full IPv4 and IPv6 support
* Supports nft atomic Set loading
* Supports blocking by ASN numbers and by iso country codes
+* Block countries dynamically by Regional Internet Registry (RIR), e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE
* Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names
* Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments
* All local input types support ranges in CIDR notation
* Auto-add the uplink subnet or uplink IP to the local allowlist
+* Prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets (DDoS attacks) in an additional prerouting chain
* Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.)
* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
* Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
* Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
+* Optionally always allow certain protocols/destination ports in wan-input and wan-forward chains
* Deduplicate IPs accross all Sets (single IPs only, no intervals)
* Provides comprehensive runtime information
* Provides a detailed Set report
| ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_debug | option | 0 | enable banIP related debug logging |
-| ban_loginput | option | 1 | log drops in the wan-input chain |
-| ban_logforwardwan | option | 1 | log drops in the wan-forward chain |
-| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
+| ban_icmplimit | option | 10 | treshold in number of packets to detect icmp DDoS in prerouting chain |
+| ban_synlimit | option | 10 | treshold in number of packets to detect syn DDoS in prerouting chain |
+| ban_udplimit | option | 100 | treshold in number of packets to detect udp DDoS in prerouting chain |
+| ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain |
+| ban_loginput | option | 0 | log supsicious packets in the wan-input chain |
+| ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain |
+| ban_logforwardlan | option | 0 | log supsicious packets in the lan-forward chain |
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
| ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments |
+| ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' |
| ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists |
| ban_basedir | option | /tmp | base working directory while banIP processing |
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
-| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
+| ban_nftpriority | option | -100 | nft priority for the banIP table (the prerouting table is fixed to priority -150) |
| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
+| ban_region | list | - | Regional Internet Registry (RIR) country selection. Supported regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE |
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' |
| ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic |
:::
::: banIP Set Statistics
:::
- Timestamp: 2024-03-02 07:38:28
+ Timestamp: 2024-04-17 23:02:15
------------------------------
- auto-added to allowlist today: 0
- auto-added to blocklist today: 0
+ blocked syn-flood packets in prerouting : 5
+ blocked udp-flood packets in prerouting : 11
+ blocked icmp-flood packets in prerouting : 6
+ blocked invalid ct packets in prerouting : 277
+ blocked invalid tcp packets in prerouting: 0
+ ----------
+ auto-added IPs to allowlist today: 0
+ auto-added IPs to blocklist today: 0
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) | Port/Protocol Limit
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
- allowlistv4MAC | 0 | - | - | OK: 0 | -
- allowlistv6MAC | 0 | - | - | OK: 0 | -
- allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0 | -
- allowlistv6 | 2 | OK: 0 | OK: 0 | OK: 0 | -
- adguardtrackersv6 | 74 | - | - | OK: 0 | tcp: 80, 443
- adguardtrackersv4 | 883 | - | - | OK: 0 | tcp: 80, 443
- cinsscorev4 | 12053 | OK: 25 | OK: 0 | - | -
- countryv4 | 37026 | OK: 14 | OK: 0 | - | -
- deblv4 | 13592 | OK: 0 | OK: 0 | - | -
- countryv6 | 38139 | OK: 0 | OK: 0 | - | -
- deblv6 | 82 | OK: 0 | OK: 0 | - | -
- dohv6 | 837 | - | - | OK: 0 | tcp: 80, 443
- dohv4 | 1240 | - | - | OK: 0 | tcp: 80, 443
- dropv6 | 51 | OK: 0 | OK: 0 | - | -
- dropv4 | 592 | OK: 0 | OK: 0 | - | -
- firehol1v4 | 906 | OK: 1 | OK: 0 | - | -
- firehol2v4 | 2105 | OK: 0 | OK: 0 | OK: 0 | -
- threatv4 | 55 | OK: 0 | OK: 0 | - | -
- ipthreatv4 | 2042 | OK: 0 | OK: 0 | - | -
- turrisv4 | 6433 | OK: 0 | OK: 0 | - | -
- blocklistv4MAC | 0 | - | - | OK: 0 | -
- blocklistv6MAC | 0 | - | - | OK: 0 | -
- blocklistv4 | 0 | OK: 0 | OK: 0 | OK: 0 | -
- blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0 | -
+ allowlistv4MAC | 0 | - | - | ON: 0 | -
+ allowlistv6MAC | 0 | - | - | ON: 0 | -
+ allowlistv4 | 1 | ON: 0 | ON: 0 | ON: 0 | -
+ allowlistv6 | 2 | ON: 0 | ON: 0 | ON: 0 | -
+ adguardtrackersv6 | 105 | - | - | ON: 0 | tcp: 80, 443
+ adguardtrackersv4 | 816 | - | - | ON: 0 | tcp: 80, 443
+ becyberv4 | 229006 | ON: 2254 | ON: 0 | - | -
+ cinsscorev4 | 7135 | ON: 1630 | ON: 2 | - | -
+ deblv4 | 10191 | ON: 23 | ON: 0 | - | -
+ countryv6 | 38233 | ON: 7 | ON: 0 | - | -
+ countryv4 | 37169 | ON: 2323 | ON: 0 | - | -
+ deblv6 | 65 | ON: 0 | ON: 0 | - | -
+ dropv6 | 66 | ON: 0 | ON: 0 | - | -
+ dohv4 | 1219 | - | - | ON: 0 | tcp: 80, 443
+ dropv4 | 895 | ON: 75 | ON: 0 | - | -
+ dohv6 | 832 | - | - | ON: 0 | tcp: 80, 443
+ threatv4 | 20 | ON: 0 | ON: 0 | - | -
+ firehol1v4 | 753 | ON: 1 | ON: 0 | - | -
+ ipthreatv4 | 1369 | ON: 20 | ON: 0 | - | -
+ firehol2v4 | 2216 | ON: 1 | ON: 0 | - | -
+ turrisv4 | 5613 | ON: 179 | ON: 0 | - | -
+ blocklistv4MAC | 0 | - | - | ON: 0 | -
+ blocklistv6MAC | 0 | - | - | ON: 0 | -
+ blocklistv4 | 0 | ON: 0 | ON: 0 | ON: 0 | -
+ blocklistv6 | 0 | ON: 0 | ON: 0 | ON: 0 | -
---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------
- 24 | 116113 | 16 (40) | 16 (0) | 13 (0)
+ 25 | 335706 | 17 (6513) | 17 (2) | 12 (0)
```
**banIP runtime information**
~# /etc/init.d/banip status
::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔)
- + version : 0.9.4-1
- + element_count : 116113
- + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, cinsscorev4, countryv4, deblv4, countryv6, deblv6, dohv6, dohv4, dropv6, dropv4, firehol1v4, firehol2v4, threatv4, ipthreatv4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
+ + version : 0.9.5-r1
+ + element_count : 335706
+ + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, adguardtrackersv6, adguardtrackersv4, becyberv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dohv4, dropv4, dohv6, threatv4, firehol1v4, ipthreatv4, firehol2v4, turrisv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
+ active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: -
- + active_uplink : 217.89.211.113, fe80::2c35:fb80:e78c:cf71, 2003:ed:b5ff:2338:2c15:fb80:e78c:cf71
- + nft_info : priority: -200, policy: performance, loglevel: warn, expiry: 2h
+ + active_uplink : 217.83.205.130, fe80::9cd6:12e9:c4df:75d3, 2003:ed:b5ff:43bd:9cd5:12e7:c3ef:75d8
+ + nft_info : priority: 0, policy: performance, loglevel: warn, expiry: 2h
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report
- + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
- + last_run : action: reload, log: logread, fetch: curl, duration: 0m 50s, date: 2024-03-02 07:35:01
- + system_info : cores: 4, memory: 1685, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25356-09be63de70
+ + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/inp/fwd/lan): ✔/✘/✘/✘, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘
+ + last_run : action: reload, log: logread, fetch: curl, duration: 2m 33s, date: 2024-04-17 05:57:56
+ + system_info : cores: 4, memory: 1573, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r25932-338b463e1e
```
**banIP search information**
banIP supports an "allowlist only" mode. This option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments - and block access to the rest of the internet. All IPs which are _not_ listed in the allowlist (plus the external Allowlist URLs) are blocked.
**MAC/IP-binding**
-banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
+banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
```
MAC-address only:
C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
+MAC-address range:
+C8:C2:9B:F7:80:12/24 => this populate the MAC-range C8:C2:9B:00:00:00", "C8:C2:9B:FF:FF:FF to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
+
MAC-address with IPv4 concatenation:
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set
C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
```
+
**enable the cgi interface to receive remote logging events**
banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options:
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "tor exit nodes",
- "flag": "80-89 443 tcp"
+ "flag": "tcp 80-89 443"
},
[...]
```
Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed.
-Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, port numbers (plus ranges) for destination port limitations with 'tcp' (default) or 'udp' as protocol variants.
+Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations.
## Support
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
ban_backupdir="/tmp/banIP-backup"
ban_reportdir="/tmp/banIP-report"
ban_feedfile="/etc/banip/banip.feeds"
+ban_countryfile="/etc/banip/banip.countries"
ban_customfeedfile="/etc/banip/banip.custom.feeds"
ban_allowlist="/etc/banip/banip.allowlist"
ban_blocklist="/etc/banip/banip.blocklist"
ban_remotelog="0"
ban_remotetoken=""
ban_nftloglevel="warn"
-ban_nftpriority="-200"
+ban_nftpriority="-100"
ban_nftpolicy="memory"
ban_nftexpiry=""
ban_loglimit="100"
+ban_icmplimit="10"
+ban_synlimit="10"
+ban_udplimit="100"
ban_logcount="1"
ban_logterm=""
+ban_region=""
ban_country=""
ban_asn=""
-ban_loginput="1"
-ban_logforwardwan="1"
+ban_logprerouting="0"
+ban_loginput="0"
+ban_logforwardwan="0"
ban_logforwardlan="0"
ban_allowurl=""
+ban_allowflag=""
ban_allowlistonly="0"
ban_autoallowlist="1"
ban_autoallowuplink="subnet"
[ "${cpu}" = "0" ] && cpu="1"
[ "${core}" = "0" ] && core="1"
ban_cores="$((cpu * core))"
+ [ "${ban_cores}" -gt "16" ] && ban_cores="16"
fi
}
kill -INT "${pid}" >/dev/null 2>&1
done
fi
- : >"${ban_rdapfile}"
- : >"${ban_pidfile}"
+ : >"${ban_rdapfile}" >"${ban_pidfile}"
}
# write log messages
# load config
#
f_conf() {
- unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
+ local rir ccode region country
+
+ unset ban_dev ban_vlanallow ban_vlanblock ban_ifv4 ban_ifv6 ban_feed ban_allowurl ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_region ban_country ban_asn
config_cb() {
option_cb() {
local option="${1}"
"ban_logterm")
eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\""
;;
+ "ban_region")
+ eval "${option}=\"$(printf "%s" "${ban_region}")${value} \""
+ ;;
"ban_country")
eval "${option}=\"$(printf "%s" "${ban_country}")${value} \""
;;
}
config_load banip
[ -f "${ban_logreadfile}" ] && ban_logreadcmd="$(command -v tail)" || ban_logreadcmd="$(command -v logread)"
+
+ for rir in ${ban_region}; do
+ while read -r ccode region country; do
+ if [ "${rir}" = "${region}" ] && ! printf "%s" "${ban_country}" | "${ban_grepcmd}" -qw "${ccode}"; then
+ ban_country="${ban_country} ${ccode}"
+ fi
+ done < "${ban_countryfile}"
+ done
}
# get nft/monitor actuals
# build initial nft file with base table, chains and rules
#
f_nftinit() {
- local wan_dev vlan_allow vlan_block feed_log feed_rc file="${1}"
+ local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc allow_proto allow_dport flag file="${1}"
wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
[ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
[ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')"
+ for flag in ${ban_allowflag}; do
+ if [ -z "${allow_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then
+ allow_proto="${flag}"
+ elif [ -n "${allow_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${allow_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
+ if [ -z "${allow_dport}" ]; then
+ allow_dport="${flag}"
+ else
+ allow_dport="${allow_dport}, ${flag}"
+ fi
+ fi
+ done
+ [ -n "${allow_dport}" ] && allow_dport="${allow_proto} dport { ${allow_dport} }"
+
+ if [ "${ban_logprerouting}" = "1" ]; then
+ log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \""
+ log_syn="log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \""
+ log_udp="log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \""
+ log_tcp="log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \""
+ log_ct="log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \""
+ fi
+
{
# nft header (tables and chains)
#
printf "%s\n" "delete table inet banIP"
fi
printf "%s\n" "add table inet banIP"
+ printf "%s\n" "add counter inet banIP cnt-icmpflood"
+ printf "%s\n" "add counter inet banIP cnt-udpflood"
+ printf "%s\n" "add counter inet banIP cnt-synflood"
+ printf "%s\n" "add counter inet banIP cnt-tcpinvalid"
+ printf "%s\n" "add counter inet banIP cnt-ctinvalid"
+ printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -150; policy accept; }"
printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP reject-chain"
- # default reject rules
+ # default reject chain rules
#
printf "%s\n" "add rule inet banIP reject-chain meta l4proto tcp reject with tcp reset"
printf "%s\n" "add rule inet banIP reject-chain reject"
+ # default pre-routing rules
+ #
+ printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept"
+ printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop"
+ printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
+ printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
+ printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop"
+ printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop"
+ printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop"
+ printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop"
+ printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop"
+ printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp} counter name cnt-tcpinvalid drop"
+
# default wan-input rules
#
- printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
printf "%s\n" "add rule inet banIP wan-input iifname != { ${wan_dev} } counter accept"
+ printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
- printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept"
- printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept"
- printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept"
- printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept"
+ printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 1 counter accept"
+ printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 255 counter accept"
+ [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept"
# default wan-forward rules
#
- printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept"
+ printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
+ [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-forward ${allow_dport} counter accept"
# default lan-forward rules
#
- printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
printf "%s\n" "add rule inet banIP lan-forward oifname != { ${wan_dev} } counter accept"
+ printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
[ -n "${vlan_allow}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_allow} } counter accept"
[ -n "${vlan_block}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_block} } counter goto reject-chain"
} >"${file}"
feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
feed_rc="${?}"
- f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
+ f_log "debug" "f_nftinit ::: wan_dev: ${wan_dev}, vlan_allow: ${vlan_allow:-"-"}, vlan_block: ${vlan_block:-"-"}, allowed_dports: ${allow_dport:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
+ : >"${file}"
return "${feed_rc}"
}
#
f_down() {
local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc
- local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport flag
+ local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport feed_target
local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
start_ts="$(date +%s)"
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/${ban_blocktype}/${feed}: \""
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/reject/${feed}: \""
+ # set feed target
+ #
+ if [ "${ban_blocktype}" = "reject" ]; then
+ feed_target="goto reject-chain"
+ else
+ feed_target="drop"
+ fi
+
# set feed block direction
#
if [ "${ban_blockpolicy}" = "input" ]; then
for flag in ${feed_flag}; do
if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then
feed_comp="${flag}"
- elif { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; } && ! printf "%s" "${feed_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
+ elif [ -z "${feed_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then
feed_proto="${flag}"
- elif [ -n "${flag//[![:digit]]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
+ elif [ -n "${feed_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then
if [ -z "${feed_dport}" ]; then
feed_dport="${flag}"
else
fi
fi
done
- [ -n "${feed_dport}" ] && feed_dport="${feed_proto:-"tcp"} dport { ${feed_dport} }"
+ [ -n "${feed_dport}" ] && feed_dport="${feed_proto} dport { ${feed_dport} }"
# chain/rule maintenance
#
done
elif [ "${feed%v*}" = "asn" ]; then
for asn in ${ban_asn}; do
- f_etag "${feed}" "${feed_url}AS${asn}" ".{asn}"
+ f_etag "${feed}" "${feed_url}AS${asn}" ".${asn}"
rc="${?}"
[ "${rc}" = "4" ] && break
etag_rc="$((etag_rc + rc))"
break
fi
done
+
if [ "${feed_rc}" = "0" ]; then
f_backup "allowlist" "${tmp_allow}"
elif [ -z "${restore_rc}" ] && [ "${feed_rc}" != "0" ]; then
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
- if [ "${ban_blocktype}" = "reject" ]; then
- printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter goto reject-chain"
- else
- printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
- fi
+ printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardwan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
- if [ "${ban_blocktype}" = "reject" ]; then
- printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter goto reject-chain"
- else
- printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop"
- fi
+ printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept"
fi
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
- if [ "${ban_blocktype}" = "reject" ]; then
- printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter goto reject-chain"
- else
- printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
- fi
+ printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardwan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
- if [ "${ban_blocktype}" = "reject" ]; then
- printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter goto reject-chain"
- else
- printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop"
- fi
+ printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardlan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
- printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter goto reject-chain"
+ printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept"
fi
fi
fi
} >"${tmp_nft}"
+ : >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}"
feed_rc="0"
elif [ "${feed%v*}" = "blocklist" ]; then
{
fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
- if [ "${ban_blocktype}" = "reject" ]; then
- [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter goto reject-chain"
- [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
- else
- [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
- [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
- fi
+ [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter ${feed_target}"
+ [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter ${feed_target}"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
elif [ "${proto}" = "6" ]; then
if [ "${ban_deduplicate}" = "1" ]; then
fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
- if [ "${ban_blocktype}" = "reject" ]; then
- [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter goto reject-chain"
- [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
- else
- [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
- [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
- fi
+ [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter ${feed_target}"
+ [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
fi
} >"${tmp_nft}"
+ : >"${tmp_flush}" >"${tmp_raw}" >"${tmp_file}"
feed_rc="0"
# handle external feeds
feed_rc="${?}"
[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
done
- rm -f "${tmp_raw}"
+ : >"${tmp_raw}"
# handle asn downloads
#
feed_rc="${?}"
[ "${feed_rc}" = "0" ] && "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
done
- rm -f "${tmp_raw}"
+ : >"${tmp_raw}"
# handle compressed downloads
#
feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)"
feed_rc="${?}"
[ "${feed_rc}" = "0" ] && "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}"
- rm -f "${tmp_raw}"
+ : >"${tmp_raw}"
# handle normal downloads
#
# deduplicate Sets
#
if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then
- "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}"
+ "${ban_awkcmd}" '{sub("\r$", ""); print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_raw}"
"${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}"
else
- "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}"
+ "${ban_awkcmd}" '{sub("\r$", ""); print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_split}"
fi
feed_rc="${?}"
# split Sets
#
if [ "${feed_rc}" = "0" ]; then
- if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then
+ if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "512" ]; then
if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then
- rm -f "${tmp_file}".*
f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'"
+ rm -f "${tmp_file}".*
fi
else
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
fi
feed_rc="${?}"
fi
- rm -f "${tmp_raw}" "${tmp_load}"
+ : >"${tmp_raw}" >"${tmp_load}"
+
if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then
{
# nft header (IPv4 Set)
# input and forward rules
#
- if [ "${ban_blocktype}" = "reject" ]; then
- [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter goto reject-chain"
- [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
- else
- [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter drop"
- [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter drop"
- fi
+ [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter ${feed_target}"
+ [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter ${feed_target}"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
} >"${tmp_nft}"
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
# input and forward rules
#
- if [ "${ban_blocktype}" = "reject" ]; then
- [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter goto reject-chain"
- [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
- else
- [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter drop"
- [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter drop"
- fi
+ [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter ${feed_target}"
+ [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
} >"${tmp_nft}"
fi
+ : >"${tmp_flush}" >"${tmp_file}.1"
fi
# load generated nft file in banIP table
cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_allow}" 2>/dev/null)"
else
cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_split}" 2>/dev/null)"
+ : >"${tmp_split}"
fi
if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then
feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)"
#
if [ "${feed_rc}" = "0" ]; then
for split_file in "${tmp_file}".*; do
- [ ! -f "${split_file}" ] && break
- if [ "${split_file##*.}" = "1" ]; then
- rm -f "${split_file}"
- continue
- fi
- if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $("${ban_catcmd}" "${split_file}") }" >/dev/null 2>&1; then
+ [ ! -s "${split_file}" ] && continue
+ "${ban_sedcmd}" -i "1 i #!/usr/sbin/nft -f\nadd element inet banIP "${feed}" { " "${split_file}"
+ printf "%s\n" "}" >> "${split_file}"
+ if ! "${ban_nftcmd}" -f "${split_file}" >/dev/null 2>&1; then
f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'"
fi
- rm -f "${split_file}"
+ : >"${split_file}"
done
if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
f_log "info" "skip empty feed '${feed}'"
fi
fi
- rm -f "${tmp_split}" "${tmp_nft}"
+ : >"${tmp_nft}"
end_ts="$(date +%s)"
f_log "debug" "f_down ::: feed: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
json_get_keys feedlist
tmp_del="${ban_tmpfile}.final.delete"
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
- table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
+ table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
{
printf "%s\n\n" "#!/usr/sbin/nft -f"
for item in ${table_sets}; do
feed_log="$("${ban_nftcmd}" -f "${tmp_del}" 2>&1)"
feed_rc="${?}"
fi
- rm -f "${tmp_del}"
+ : >"${tmp_del}"
f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
}
end_time="$(date "+%s")"
duration="$(((end_time - ban_starttime) / 60))m $(((end_time - ban_starttime) % 60))s"
fi
- table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
+ table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
if [ "${ban_reportelements}" = "1" ]; then
for object in ${table_sets}; do
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
json_close_array
json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}"
json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}"
- json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})"
+ json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (pre/inp/fwd/lan): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})"
json_add_string "last_run" "${runtime:-"-"}"
json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
json_dump >"${ban_rtfile}"
cnt_domain="$((cnt_domain + 1))"
done
if [ -n "${elementsv4}" ]; then
- if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then
+ if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" { ${elementsv4} } >/dev/null 2>&1; then
f_log "info" "can't add lookup file to Set '${feed}v4'"
fi
fi
if [ -n "${elementsv6}" ]; then
- if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then
+ if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" { ${elementsv6} } >/dev/null 2>&1; then
f_log "info" "can't add lookup file to Set '${feed}v6'"
fi
fi
#
f_report() {
local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan set_proto set_dport set_details
- local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan output="${1}"
-
+ local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
+ local sum_synflood sum_udpflood sum_icmpflood sum_ctinvalid sum_tcpinvalid output="${1}"
[ -z "${ban_dev}" ] && f_conf
f_mkdir "${ban_reportdir}"
report_jsn="${ban_reportdir}/ban_report.jsn"
# json output preparation
#
ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
- table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
+ table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"&&@.set.family="inet"].set.name')"
sum_sets="0"
sum_setinput="0"
sum_setforwardwan="0"
sum_cntinput="0"
sum_cntforwardwan="0"
sum_cntforwardlan="0"
+ sum_synflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-synflood"].*.packets')"
+ sum_udpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-udpflood"].*.packets')"
+ sum_icmpflood="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-icmpflood"].*.packets')"
+ sum_ctinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-ctinvalid"].*.packets')"
+ sum_tcpinvalid="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.counter.name="cnt-tcpinvalid"].*.packets')"
timestamp="$(date "+%Y-%m-%d %H:%M:%S")"
: >"${report_jsn}"
{
[ "${expr}" = "1" ] && [ -z "${set_dport}" ] && set_dport="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.right.set")"
[ "${expr}" = "1" ] && [ -z "${set_proto}" ] && set_proto="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[${expr}].match.right=\"@${item}\"].expr[*].match.left.payload.protocol")"
done
- if [ -n "${set_dport}" ]; then
- set_dport="${set_dport//[\{\}\":]/}"
- set_dport="${set_dport#\[ *}"
- set_dport="${set_dport%* \]}"
- set_dport="${set_proto}: $(f_trim "${set_dport}")"
- fi
if [ "${ban_reportelements}" = "1" ]; then
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
sum_setelements="$((sum_setelements + set_cnt))"
set_cnt=""
sum_setelements="n/a"
fi
+ if [ -n "${set_dport}" ]; then
+ set_dport="${set_dport//[\{\}\":]/}"
+ set_dport="${set_dport#\[ *}"
+ set_dport="${set_dport%* \]}"
+ set_dport="${set_proto}: $(f_trim "${set_dport}")"
+ fi
if [ -n "${set_cntinput}" ]; then
- set_input="OK"
+ set_input="ON"
sum_setinput="$((sum_setinput + 1))"
sum_cntinput="$((sum_cntinput + set_cntinput))"
else
set_cntinput=""
fi
if [ -n "${set_cntforwardwan}" ]; then
- set_forwardwan="OK"
+ set_forwardwan="ON"
sum_setforwardwan="$((sum_setforwardwan + 1))"
sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))"
else
set_cntforwardwan=""
fi
if [ -n "${set_cntforwardlan}" ]; then
- set_forwardlan="OK"
+ set_forwardlan="ON"
sum_setforwardlan="$((sum_setforwardlan + 1))"
sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))"
else
printf "\t%s\n" "\"timestamp\": \"${timestamp}\","
printf "\t%s\n" "\"autoadd_allow\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_allowlist}")\","
printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\","
+ printf "\t%s\n" "\"sum_synflood\": \"${sum_synflood}\","
+ printf "\t%s\n" "\"sum_udpflood\": \"${sum_udpflood}\","
+ printf "\t%s\n" "\"sum_icmpflood\": \"${sum_icmpflood}\","
+ printf "\t%s\n" "\"sum_ctinvalid\": \"${sum_ctinvalid}\","
+ printf "\t%s\n" "\"sum_tcpinvalid\": \"${sum_tcpinvalid}\","
printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\","
printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\","
printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\","
json_get_var timestamp "timestamp" >/dev/null 2>&1
json_get_var autoadd_allow "autoadd_allow" >/dev/null 2>&1
json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1
+ json_get_var sum_synflood "sum_synflood" >/dev/null 2>&1
+ json_get_var sum_udpflood "sum_udpflood" >/dev/null 2>&1
+ json_get_var sum_icmpflood "sum_icmpflood" >/dev/null 2>&1
+ json_get_var sum_ctinvalid "sum_ctinvalid" >/dev/null 2>&1
+ json_get_var sum_tcpinvalid "sum_tcpinvalid" >/dev/null 2>&1
json_get_var sum_sets "sum_sets" >/dev/null 2>&1
json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1
json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1
printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::"
printf "%s\n" " Timestamp: ${timestamp}"
printf "%s\n" " ------------------------------"
- printf "%s\n" " auto-added to allowlist today: ${autoadd_allow}"
- printf "%s\n\n" " auto-added to blocklist today: ${autoadd_block}"
+ printf "%s\n" " blocked syn-flood packets : ${sum_synflood}"
+ printf "%s\n" " blocked udp-flood packets : ${sum_udpflood}"
+ printf "%s\n" " blocked icmp-flood packets : ${sum_icmpflood}"
+ printf "%s\n" " blocked invalid ct packets : ${sum_ctinvalid}"
+ printf "%s\n" " blocked invalid tcp packets: ${sum_tcpinvalid}"
+ printf "%s\n" " ----------"
+ printf "%s\n" " auto-added IPs to allowlist: ${autoadd_allow}"
+ printf "%s\n\n" " auto-added IPs to blocklist: ${autoadd_block}"
json_select "sets" >/dev/null 2>&1
json_get_keys table_sets >/dev/null 2>&1
if [ -n "${table_sets}" ]; then
local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}"
if [ -n "${input}" ]; then
- ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')"
+ ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')"
[ -n "${ip}" ] && proto="v4"
if [ -z "${proto}" ]; then
- ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')"
+ ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')"
[ -n "${ip}" ] && proto="v6"
fi
fi
printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::"
return
fi
- printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
- printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
- printf " %s\n" "---"
cnt="1"
for item in ${table_sets}; do
[ -f "${result_flag}" ] && break
(
if "${ban_nftcmd}" get element inet banIP "${item}" "{ ${ip} }" >/dev/null 2>&1; then
+ printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
+ printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
+ printf " %s\n" "---"
printf " %s\n" "IP found in Set '${item}'"
: >"${result_flag}"
fi
cnt="$((cnt + 1))"
done
wait
- [ -f "${result_flag}" ] && rm -f "${result_flag}" || printf " %s\n" "IP not found"
+ if [ -f "${result_flag}" ]; then
+ rm -f "${result_flag}"
+ else
+ printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
+ printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
+ printf " %s\n" "---"
+ printf " %s\n" "IP not found"
+ fi
}
# Set survey
# log monitor
#
f_monitor() {
- local daemon logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info
+ local daemon logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_prefix rdap_length rdap_info
if [ -f "${ban_logreadfile}" ]; then
logread_cmd="${ban_logreadcmd} -qf ${ban_logreadfile} 2>/dev/null | ${ban_grepcmd} -e \"${ban_logterm%%??}\" 2>/dev/null"
rdap_log="$("${ban_fetchcmd}" ${ban_rdapparm} "${ban_rdapfile}" "${ban_rdapurl}${ip}" 2>&1)"
rdap_rc="${?}"
if [ "${rdap_rc}" = "0" ] && [ -s "${ban_rdapfile}" ]; then
- rdap_elements="$(jsonfilter -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*' | awk 'BEGIN{FS="[\" ]"}{printf "%s/%s, ",$6,$11}')"
- rdap_info="$(jsonfilter -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
- if [ -n "${rdap_elements//\/*/}" ]; then
- if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${rdap_elements%%??} ${nft_expiry} }" >/dev/null 2>&1; then
- f_log "info" "add IP range '${rdap_elements%%??}' (source: ${rdap_info:-"-"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
+ [ "${proto}" = "v4" ] && rdap_prefix="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.v4prefix')"
+ [ "${proto}" = "v6" ] && rdap_prefix="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.v6prefix')"
+ rdap_length="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*.length')"
+ rdap_info="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
+ [ -z "${rdap_info}" ] && rdap_info="$(jsonfilter -l1 -i "${ban_rdapfile}" -qe '@.notices[0].links[0].value' | awk 'BEGIN{FS="[/.]"}{printf"%s, %s","n/a",toupper($4)}')"
+ if [ -n "${rdap_prefix}" ] && [ -n "${rdap_length}" ]; then
+ if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${rdap_prefix}/${rdap_length} ${nft_expiry} } >/dev/null 2>&1; then
+ f_log "info" "add IP range '${rdap_prefix}/${rdap_length}' (source: ${rdap_info:-"n/a"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
fi
fi
else
f_log "info" "rdap request failed (rc: ${rdap_rc:-"-"}/log: ${rdap_log})"
fi
fi
- if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_elements//\/*/}" ]; then
- if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
+ if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_prefix}" ] || [ -z "${rdap_length}" ]; then
+ if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${ip} ${nft_expiry} } >/dev/null 2>&1; then
f_log "info" "add IP '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
fi
fi
#!/bin/sh
# banIP main service script - ban incoming and outgoing IPs via named nftables Sets
-# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
+# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
f_getdev
f_getuplink
f_mkdir "${ban_backupdir}"
-f_mkfile "${ban_blocklist}"
f_mkfile "${ban_allowlist}"
+f_mkfile "${ban_blocklist}"
# firewall check
#
fi
fi
-# init nft namespace
+# init banIP nftables namespace
#
if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then
if f_nftinit "${ban_tmpfile}".init.nft; then
- f_log "info" "initialize nft namespace"
+ f_log "info" "initialize banIP nftables namespace"
else
- f_log "err" "can't initialize nft namespace"
+ f_log "err" "can't initialize banIP nftables namespace"
fi
fi
continue
fi
- # handle IPv4/IPv6 feeds with the same/single download URL
+ # handle IPv4/IPv6 feeds with a single download URL
#
if [ "${feed_url_4}" = "${feed_url_6}" ]; then
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
fi
continue
fi
- # handle IPv4/IPv6 feeds with separated download URLs
+
+ # handle IPv4/IPv6 feeds with separate download URLs
#
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
-af;Afghanistan
-ax;Ã…land Islands
-al;Albania
-dz;Algeria
-as;American Samoa
-ad;Andorra
-ao;Angola
-ai;Anguilla
-aq;Antarctica
-ag;Antigua & Barbuda
-ar;Argentina
-am;Armenia
-aw;Aruba
-au;Australia
-at;Austria
-az;Azerbaijan
-bs;Bahamas
-bh;Bahrain
-bd;Bangladesh
-bb;Barbados
-by;Belarus
-be;Belgium
-bz;Belize
-bj;Benin
-bm;Bermuda
-bt;Bhutan
-bo;Bolivia
-ba;Bosnia
-bw;Botswana
-bv;Bouvet Island
-br;Brazil
-io;British Indian Ocean Territory
-vg;British Virgin Islands
-bn;Brunei
-bg;Bulgaria
-bf;Burkina Faso
-bi;Burundi
-kh;Cambodia
-cm;Cameroon
-ca;Canada
-cv;Cape Verde
-bq;Caribbean Netherlands
-ky;Cayman Islands
-cf;Central African Republic
-td;Chad
-cl;Chile
-cn;China
-cx;Christmas Island
-cc;Cocos (Keeling) Islands
-co;Colombia
-km;Comoros
-cg;Congo - Brazzaville
-cd;Congo - Kinshasa
-ck;Cook Islands
-cr;Costa Rica
-ci;Côte d’Ivoire
-hr;Croatia
-cu;Cuba
-cw;Curaçao
-cy;Cyprus
-cz;Czechia
-dk;Denmark
-dj;Djibouti
-dm;Dominica
-do;Dominican Republic
-ec;Ecuador
-eg;Egypt
-sv;El Salvador
-gq;Equatorial Guinea
-er;Eritrea
-ee;Estonia
-sz;Eswatini
-et;Ethiopia
-fk;Falkland Islands
-fo;Faroe Islands
-fj;Fiji
-fi;Finland
-fr;France
-gf;French Guiana
-pf;French Polynesia
-tf;French Southern Territories
-ga;Gabon
-gm;Gambia
-ge;Georgia
-de;Germany
-gh;Ghana
-gi;Gibraltar
-gr;Greece
-gl;Greenland
-gd;Grenada
-gp;Guadeloupe
-gu;Guam
-gt;Guatemala
-gg;Guernsey
-gn;Guinea
-gw;Guinea-Bissau
-gy;Guyana
-ht;Haiti
-hm;Heard & McDonald Islands
-hn;Honduras
-hk;Hong Kong
-hu;Hungary
-is;Iceland
-in;India
-id;Indonesia
-ir;Iran
-iq;Iraq
-ie;Ireland
-im;Isle of Man
-il;Israel
-it;Italy
-jm;Jamaica
-jp;Japan
-je;Jersey
-jo;Jordan
-kz;Kazakhstan
-ke;Kenya
-ki;Kiribati
-kw;Kuwait
-kg;Kyrgyzstan
-la;Laos
-lv;Latvia
-lb;Lebanon
-ls;Lesotho
-lr;Liberia
-ly;Libya
-li;Liechtenstein
-lt;Lithuania
-lu;Luxembourg
-mo;Macau
-mg;Madagascar
-mw;Malawi
-my;Malaysia
-mv;Maldives
-ml;Mali
-mt;Malta
-mh;Marshall Islands
-mq;Martinique
-mr;Mauritania
-mu;Mauritius
-yt;Mayotte
-mx;Mexico
-fm;Micronesia
-md;Moldova
-mc;Monaco
-mn;Mongolia
-me;Montenegro
-ms;Montserrat
-ma;Morocco
-mz;Mozambique
-mm;Myanmar
-na;Namibia
-nr;Nauru
-np;Nepal
-nl;Netherlands
-nc;New Caledonia
-nz;New Zealand
-ni;Nicaragua
-ne;Niger
-ng;Nigeria
-nu;Niue
-nf;Norfolk Island
-mp;Northern Mariana Islands
-kp;North Korea
-mk;North Macedonia
-no;Norway
-om;Oman
-pk;Pakistan
-pw;Palau
-ps;Palestine
-pa;Panama
-pg;Papua New Guinea
-py;Paraguay
-pe;Peru
-ph;Philippines
-pn;Pitcairn Islands
-pl;Poland
-pt;Portugal
-pr;Puerto Rico
-qa;Qatar
-re;Réunion
-ro;Romania
-ru;Russia
-rw;Rwanda
-ws;Samoa
-sm;San Marino
-st;São Tomé & PrÃncipe
-sa;Saudi Arabia
-sn;Senegal
-rs;Serbia
-sc;Seychelles
-sl;Sierra Leone
-sg;Singapore
-sx;Sint Maarten
-sk;Slovakia
-si;Slovenia
-sb;Solomon Islands
-so;Somalia
-za;South Africa
-gs;South Georgia & South Sandwich Islands
-kr;South Korea
-ss;South Sudan
-es;Spain
-lk;Sri Lanka
-bl;St. Barthélemy
-sh;St. Helena
-kn;St. Kitts & Nevis
-lc;St. Lucia
-mf;St. Martin
-pm;St. Pierre & Miquelon
-vc;St. Vincent & Grenadines
-sd;Sudan
-sr;Suriname
-sj;Svalbard & Jan Mayen
-se;Sweden
-ch;Switzerland
-sy;Syria
-tw;Taiwan
-tj;Tajikistan
-tz;Tanzania
-th;Thailand
-tl;Timor-Leste
-tg;Togo
-tk;Tokelau
-to;Tonga
-tt;Trinidad & Tobago
-tn;Tunisia
-tr;Turkey
-tm;Turkmenistan
-tc;Turks & Caicos Islands
-tv;Tuvalu
-ug;Uganda
-ua;Ukraine
-ae;United Arab Emirates
-gb;United Kingdom
-us;United States
-uy;Uruguay
-um;U.S. Outlying Islands
-vi;U.S. Virgin Islands
-uz;Uzbekistan
-vu;Vanuatu
-va;Vatican City
-ve;Venezuela
-vn;Vietnam
-wf;Wallis & Futuna
-eh;Western Sahara
-ye;Yemen
-zm;Zambia
-zw;Zimbabwe
+af APNIC Afghanistan
+ax RIPE Ã…land Islands
+al RIPE Albania
+dz AFRINIC Algeria
+as APNIC American Samoa
+ad RIPE Andorra
+ao AFRINIC Angola
+ai ARIN Anguilla
+aq ARIN Antarctica
+ag ARIN Antigua & Barbuda
+ar LACNIC Argentina
+am RIPE Armenia
+aw LACNIC Aruba
+au APNIC Australia
+at RIPE Austria
+az RIPE Azerbaijan
+bs ARIN Bahamas
+bh RIPE Bahrain
+bd APNIC Bangladesh
+bb ARIN Barbados
+by RIPE Belarus
+be RIPE Belgium
+bz LACNIC Belize
+bj AFRINIC Benin
+bm ARIN Bermuda
+bt APNIC Bhutan
+bo LACNIC Bolivia
+bq LACNIC Bonaire
+ba RIPE Bosnia & Herzegowina
+bw AFRINIC Botswana
+bv ARIN Bouvet Island
+br LACNIC Brazil
+io APNIC British Indian Ocean Territory
+bn APNIC Brunei
+bg RIPE Bulgaria
+bf AFRINIC Burkina Faso
+bi AFRINIC Burundi
+kh APNIC Cambodia
+cm AFRINIC Cameroon
+ca ARIN Canada
+cv AFRINIC Cape Verde
+ky ARIN Cayman Islands
+cf AFRINIC Central African Republic
+td AFRINIC Chad
+cl LACNIC Chile
+cn APNIC China
+cx APNIC Christmas Island
+cc APNIC Cocos Islands
+co LACNIC Colombia
+km AFRINIC Comoros
+cg AFRINIC Congo - Brazzaville
+cd AFRINIC Congo - Kinshasa
+ck APNIC Cook Islands
+cr LACNIC Costa Rica
+ci AFRINIC Côte D'ivoire
+hr RIPE Croatia
+cu LACNIC Cuba
+cw LACNIC Curaçao
+cy RIPE Cyprus
+cz RIPE Czechia
+dk RIPE Denmark
+dj AFRINIC Djibouti
+dm ARIN Dominica
+do LACNIC Dominican Republic
+ec LACNIC Ecuador
+eg AFRINIC Egypt
+sv LACNIC El Salvador
+gq AFRINIC Equatorial Guinea
+er AFRINIC Eritrea
+ee RIPE Estonia
+sz AFRINIC Eswatini
+et AFRINIC Ethiopia
+fk LACNIC Falkland Islands
+fo RIPE Faroe Islands
+fj APNIC Fiji
+fi RIPE Finland
+fr RIPE France
+gf LACNIC French Guiana
+pf APNIC French Polynesia
+tf APNIC French Southern Territories
+ga AFRINIC Gabon
+gm AFRINIC Gambia
+ge RIPE Georgia
+de RIPE Germany
+gh AFRINIC Ghana
+gi RIPE Gibraltar
+gr RIPE Greece
+gl RIPE Greenland
+gd ARIN Grenada
+gp ARIN Guadeloupe
+gu APNIC Guam
+gt LACNIC Guatemala
+gg RIPE Guernsey
+gn AFRINIC Guinea
+gw AFRINIC Guinea-Bissau
+gy LACNIC Guyana
+ht LACNIC Haiti
+hm ARIN Heard & McDonald Islands
+hn LACNIC Honduras
+hk APNIC Hong Kong
+hu RIPE Hungary
+is RIPE Iceland
+in APNIC India
+id APNIC Indonesia
+ir RIPE Iran
+iq RIPE Iraq
+ie RIPE Ireland
+im RIPE Isle of Man
+il RIPE Israel
+it RIPE Italy
+jm ARIN Jamaica
+jp APNIC Japan
+je RIPE Jersey
+jo RIPE Jordan
+kz RIPE Kazakhstan
+ke AFRINIC Kenya
+ki APNIC Kiribati
+kw RIPE Kuwait
+kg RIPE Kyrgyzstan
+la APNIC Lao
+lv RIPE Latvia
+lb RIPE Lebanon
+ls AFRINIC Lesotho
+lr AFRINIC Liberia
+ly AFRINIC Libya
+li RIPE Liechtenstein
+lt RIPE Lithuania
+lu RIPE Luxembourg
+mo APNIC Macao
+mg AFRINIC Madagascar
+mw AFRINIC Malawi
+my APNIC Malaysia
+mv APNIC Maldives
+ml AFRINIC Mali
+mt RIPE Malta
+mh APNIC Marshall Islands
+ma AFRINIC Marocco
+mq ARIN Martinique
+mr AFRINIC Mauritania
+mu AFRINIC Mauritius
+yt AFRINIC Mayotte
+mx LACNIC Mexico
+fm APNIC Micronesia
+md RIPE Moldova
+mc RIPE Monaco
+mn APNIC Mongolia
+me RIPE Montenegro
+ms ARIN Montserrat
+mz AFRINIC Mozambique
+mm APNIC Myanmar
+na AFRINIC Namibia
+nr APNIC Nauru
+np APNIC Nepal
+nl RIPE Netherlands
+nc APNIC New Caledonia
+nz APNIC New Zealand
+ni LACNIC Nicaragua
+ne AFRINIC Niger
+ng AFRINIC Nigeria
+nu APNIC Niue
+nf APNIC Norfolk Island
+kp APNIC North Korea
+mk RIPE North Macedonia
+mp APNIC Northern Mariana Islands
+no RIPE Norway
+om RIPE Oman
+pk APNIC Pakistan
+pw APNIC Palau
+ps RIPE Palestine
+pa LACNIC Panama
+pg APNIC Papua New Guinea
+py LACNIC Paraguay
+pe LACNIC Peru
+ph APNIC Philippines
+pn APNIC Pitcairn
+pl RIPE Poland
+pt RIPE Portugal
+pr ARIN Puerto Rico
+qa RIPE Qatar
+re AFRINIC Reunion
+ro RIPE Romania
+ru RIPE Russian Federation
+rw AFRINIC Rwanda
+sh ARIN Saint Helena
+bl ARIN Saint Barthélemy
+kn ARIN Saint Kitts & Nevis
+lc ARIN Saint Lucia
+mf ARIN Saint Martin
+pm ARIN Saint Pierre & Miquelon
+vc ARIN Saint Vincent & the Grenadines
+ws APNIC Samoa
+sm RIPE San Marino
+st AFRINIC Sao Tome & Principe
+sa RIPE Saudi Arabia
+sn AFRINIC Senegal
+rs RIPE Serbia
+sc AFRINIC Seychelles
+sl AFRINIC Sierra Leone
+sg APNIC Singapore
+sx LACNIC Sint Maarten
+sk RIPE Slovakia
+si RIPE Slovenia
+sb APNIC Solomon Islands
+so AFRINIC Somalia
+za AFRINIC South Africa
+gs LACNIC South Georgia
+kr APNIC South Korea
+ss AFRINIC South Sudan
+es RIPE Spain
+lk APNIC Sri Lanka
+sd AFRINIC Sudan
+sr LACNIC Suriname
+sj RIPE Svalbard & Jan Mayen Islands
+se RIPE Sweden
+ch RIPE Switzerland
+sy RIPE Syrian
+tw APNIC Taiwan
+tj RIPE Tajikistan
+tz AFRINIC Tanzania
+th APNIC Thailand
+tl APNIC Timor-Leste
+tg AFRINIC Togo
+tk APNIC Tokelau
+to APNIC Tonga
+tt LACNIC Trinidad & Tobago
+tn AFRINIC Tunisia
+tr RIPE Türkey
+tm RIPE Turkmenistan
+tc ARIN Turks & Caicos Islands
+tv APNIC Tuvalu
+ug AFRINIC Uganda
+ua RIPE Ukraine
+ae RIPE United Arab Emirates
+gb RIPE United Kingdom
+us ARIN United States
+um ARIN United States Minor Outlying Islands
+uy LACNIC Uruguay
+uz RIPE Uzbekistan
+vu APNIC Vanuatu
+va RIPE Vatikan City
+ve LACNIC Venezuela
+vn APNIC Vietnam
+vg ARIN Virgin Islands (British)
+vi ARIN Virgin Islands (U.S.)
+wf APNIC Wallis & Futuna Islands
+eh AFRINIC Western Sahara
+ye RIPE Yemen
+zm AFRINIC Zambia
+zw AFRINIC Zimbabwe
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "adaway IPs",
- "flag": "80 443"
+ "flag": "tcp 80 443"
},
"adguard":{
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "adguard IPs",
- "flag": "80 443"
+ "flag": "tcp 80 443"
},
"adguardtrackers":{
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "adguardtracker IPs",
- "flag": "80 443"
+ "flag": "tcp 80 443"
},
"antipopads":{
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "antipopads IPs",
- "flag": "80 443"
+ "flag": "tcp 80 443"
},
"asn":{
"url_4": "https://asn.ipinfo.app/api/text/list/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "ASN IP segments",
- "flag": "80 443"
+ "flag": "tcp 80 443"
},
"backscatterer":{
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",
"descr": "backscatterer IPs",
"flag": "gz"
},
+ "becyber":{
+ "url_4": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips.txt",
+ "url_6": "https://raw.githubusercontent.com/duggytuxy/malicious_ip_addresses/main/botnets_zombies_scanner_spam_ips_ipv6.txt",
+ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
+ "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
+ "descr": "malicious attacker IPs"
+ },
"binarydefense":{
"url_4": "https://iplists.firehol.org/files/bds_atif.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "country blocks"
},
- "darklist":{
- "url_4": "https://darklist.de/raw.php",
- "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
- "descr": "suspicious attacker IPs"
- },
"debl":{
- "url_4": "https://www.blocklist.de/downloads/export-ips_all.txt",
- "url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
+ "url_4": "https://lists.blocklist.de/lists/all.txt",
+ "url_6": "https://lists.blocklist.de/lists/all.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"descr": "fail2ban IP blocklist"
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "public DoH-Provider",
- "flag": "80 443"
+ "flag": "tcp 80 443"
},
"drop":{
"url_4": "https://www.spamhaus.org/drop/drop.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}",
"descr": "dshield IP blocklist"
},
- "edrop":{
- "url_4": "https://www.spamhaus.org/drop/edrop.txt",
- "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
- "descr": "spamhaus edrop compilation"
- },
"etcompromised":{
"url_4": "https://iplists.firehol.org/files/et_compromised.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"descr": "advertising IPs",
- "flag": "gz 80 443"
+ "flag": "gz tcp 80 443"
},
"iblockspy":{
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"descr": "malicious spyware IPs",
- "flag": "gz 80 443"
+ "flag": "gz tcp 80 443"
},
- "ipblackhole":{
- "url_4": "https://ip.blackhole.monster/blackhole-today",
- "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
- "descr": "blackhole IP blocklist"
+ "ipsum":{
+ "url_4": "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt",
+ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}",
+ "descr": "malicious IPs"
},
"ipthreat":{
"url_4": "https://lists.ipthreat.net/file/ipthreat-lists/threat/threat-30.txt.gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "OISD-big IPs",
- "flag": "80 443"
+ "flag": "tcp 80 443"
},
"oisdnsfw":{
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "OISD-nsfw IPs",
- "flag": "80 443"
+ "flag": "tcp 80 443"
},
"oisdsmall":{
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "OISD-small IPs",
- "flag": "80 443"
+ "flag": "tcp 80 443"
+ },
+ "pallebone":{
+ "url_4": "https://raw.githubusercontent.com/pallebone/StrictBlockPAllebone/master/BlockIP.txt",
+ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
+ "descr": "curated IP blocklist"
},
"proxy":{
"url_4": "https://iplists.firehol.org/files/proxylists.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "stevenblack IPs",
- "flag": "80 443"
+ "flag": "tcp 80 443"
},
"talos":{
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"descr": "yoyo IPs",
- "flag": "80 443"
+ "flag": "tcp 80 443"
}
}
[ "${action}" = "boot" ] && "${ban_init}" running && exit 0
{ [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
[ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
-[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
-[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && mkdir -p "${ban_lock}"
+[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
+[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && mkdir -p "${ban_lock}"
{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}"
-[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
+[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
boot() {
: >"${ban_pidfile}"
search() {
f_search "${1}"
+ rm -rf "${ban_lock}"
}
survey() {
include $(TOPDIR)/rules.mk
PKG_NAME:=cloudflared
-PKG_VERSION:=2024.3.0
+PKG_VERSION:=2024.4.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/cloudflare/cloudflared/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=6e5fda072d81b2d40208a0d244b44aaf607f26709711e157e23f44f812594e93
+PKG_HASH:=a68882beb5ec2855a17253a751295c4cc4f8f9ca3b49920ffa7e398995f85055
PKG_LICENSE:=Apache-2.0
PKG_LICENSE_FILES:=LICENSE
PKG_NAME:=curl
PKG_VERSION:=8.7.1
-PKG_RELEASE:=r1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://github.com/curl/curl/releases/download/curl-$(subst .,_,$(PKG_VERSION))/ \
SECTION:=net
CATEGORY:=Network
URL:=http://curl.se/
- MAINTAINER:=Stan Grishin <stangri@melmac.ca>
+ MAINTAINER:=
endef
define Package/curl
--- /dev/null
+From: Kailun Qin <kailun.qin@intel.com>
+Date: Mon, 8 Apr 2024 05:13:56 -0400
+Subject: [PATCH] mbedtls: call mbedtls_ssl_setup() after RNG callback is set
+
+Since mbedTLS v3.6.0, the RNG check added in ssl_conf_check() will fail
+if no RNG is provided when calling mbedtls_ssl_setup().
+
+Therefore, mbedtls_ssl_conf_rng() needs to be called before the SSL
+context is passed to mbedtls_ssl_setup().
+
+Ref: https://github.com/Mbed-TLS/mbedtls/commit/b422cab052b51ec84758638d6783d6ba4fc60613
+
+Signed-off-by: Kailun Qin <kailun.qin@intel.com>
+Closes #13314
+---
+
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -602,10 +602,6 @@ mbed_connect_step1(struct Curl_cfilter *
+ }
+
+ mbedtls_ssl_init(&backend->ssl);
+- if(mbedtls_ssl_setup(&backend->ssl, &backend->config)) {
+- failf(data, "mbedTLS: ssl_init failed");
+- return CURLE_SSL_CONNECT_ERROR;
+- }
+
+ /* new profile with RSA min key len = 1024 ... */
+ mbedtls_ssl_conf_cert_profile(&backend->config,
+@@ -639,6 +635,15 @@ mbed_connect_step1(struct Curl_cfilter *
+
+ mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random,
+ &backend->ctr_drbg);
++
++ ret = mbedtls_ssl_setup(&backend->ssl, &backend->config);
++ if(ret) {
++ mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
++ failf(data, "ssl_setup failed - mbedTLS: (-0x%04X) %s",
++ -ret, errorbuf);
++ return CURLE_SSL_CONNECT_ERROR;
++ }
++
+ mbedtls_ssl_set_bio(&backend->ssl, cf,
+ mbedtls_bio_cf_write,
+ mbedtls_bio_cf_read,
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsproxy
-PKG_VERSION:=0.66.0
+PKG_VERSION:=0.70.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=6928b109fb1080fec2aadc0cad20d0c08d13b5ff5db1a7c82ecfe200eec21326
+PKG_HASH:=a78ce398f2019e7a3a57e7ffcb06ecfb6d08e36e0a07c58ada4ac4871cecd677
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
PKG_LICENSE:=Apache-2.0
--- /dev/null
+## **Prelude**
+- This document only covers scripts installed on OpenWrt systems and only options available on OpenWrt.
+- geoip-shell supports a numer of different use cases, many different platforms, and 2 backend firewall utilities (nftables and iptables). For this reason I designed it to be modular rather than monolithic. In this design, the functionality is split between few main scripts. Each main script performs specific tasks and utilizes library scripts which are required for the task with the given platform and firewall utility.
+- This document provides some info on the purpose and core options of the main scripts and how they work in tandem.
+- The main scripts display "usage" when called with the "-h" option. You can find out about some additional options specific to each script by running it with that option.
+
+## **Overview**
+
+### Main Scripts
+- geoip-shell-install.sh
+- geoip-shell-uninstall.sh
+- geoip-shell-manage.sh
+- geoip-shell-run.sh
+- geoip-shell-fetch.sh
+- geoip-shell-apply.sh
+- geoip-shell-backup.sh
+- geoip-shell-cronsetup.sh
+
+### Helper Scripts
+**geoip-shell-geoinit.sh**
+- This script is sourced from all main scripts. It sets some essential variables, checks for compatible shell, then sources the -lib-common script, then sources the /etc/geoip-shell/geoip-shell.const file which stores some system-specific constants.
+
+**geoip-shell-detect-lan.sh**
+This script is only used under specific conditions:
+- During initial setup, with whitelist mode, and only if wan interfaces were set to 'all', and LAN subnets were not specified via command line args. geoip-shell then assumes that it is being installed on a machine belonging to a LAN, uses this script to detect the LAN subnets and offers the user to add them to the whitelist, and to enable automatic detection of LAN subnets in the future.
+- At the time of creating/updating firewall rules, and only if LAN subnets automatic detection is enabled. geoip-shell then re-detects LAN subnets automatically.
+
+### Library Scripts
+- lib/geoip-shell-lib-common.sh
+- lib/geoip-shell-lib-setup.sh
+- lib/geoip-shell-lib-ipt.sh
+- lib/geoip-shell-lib-nft.sh
+- lib/geoip-shell-lib-status.sh
+- lib/geoip-shell-lib-arrays.sh
+- lib/geoip-shell-lib-uninstall.sh
+
+The -lib-common script includes a large number of functions used throughout the suite, and assigns some essential variables.
+
+The lib-setup script implements CLI interactive and noninteractive setup and arguments parsing. It is used in the -manage script.
+
+The -lib-status script implements the status report which you can get by issuing the `geoip-shell status` command.
+
+The -ipt and -nft scripts implement support for iptables and nftables, respectively. They are sourced from other scripts which need to interact with the firewall utility directly.
+
+
+The -lib-arrays script implements a minimal subset of functions emulating the functionality of associative arrays in POSIX-compliant shell. It is used in the -fetch script. It is a part of a larger project implementing much more of the arrays functionality. You can check my other repositories if you are interested.
+
+The -lib-uninstall script has some functions which are used both for uninstallation and for reset if required.
+
+### OpenWrt-specific scripts
+- geoip-shell-lib-owrt-common.sh
+- geoip-shell-init
+- geoip-shell-mk-fw-include.sh
+- geoip-shell-fw-include.sh
+- geoip-shell-owrt-uninstall.sh
+
+For more information about integration with OpenWrt, read [OpenWrt-README.md](OpenWrt-README.md)
+
+### User interface
+The scripts intended as user interface are **geoip-shell-install.sh**, **geoip-shell-uninstall.sh**, **geoip-shell-manage.sh** and **check-ip-in-source.sh**. All the other scripts are intended as a back-end. If you just want to install and move on, you only need to run the -install script.
+After installation, the user interface is provided by running "geoip-shell", which is a symlink to the -manage script.
+
+## **Main scripts in detail**
+**geoip-shell-manage.sh**: serves as the main user interface to configure geoip after installation. You can also call it by simply typing `geoip-shell`. As most scripts in this suite, it requires root privileges because it needs to interact with the netfilter kernel component and access the data folder which is only readable and writable by root. Since it serves as the main user interface, it contains a lot of logic to generate a report, parse, validate and initiate actions requested by the user (by calling other scripts as required), check for possible remote machine lockout and warn the user about it, check actions result, update the config and take corrective actions in case of an error. Describing all this is beyond the scope of this document but you can read the code. Sources the lib-status script when generating a status report. Sources lib-setup for some of the arguments parsing logic and interactive dialogs implementation.
+
+`geoip-shell <on|off> [-c <"country_codes">]` : Enable or disable the geoip blocking chain (via a rule in the base geoip chain)
+
+`geoip-shell <add|remove> [-c <"country_codes">]` :
+* Adds or removes the specified country codes to/from the config file.
+* Calls the -run script to fetch the ip lists for specified countries and apply them to the firewall (or to remove them).
+
+`geoip-shell status`
+* Displays information on the current state of geoip blocking
+* For a list of all firewall rules in the geoip chain and for detailed count of ip ranges, run `geoip-shell status -v`.
+
+`geoip-shell restore` : re-fetches and re-applies geoip firewall rules and ip lists as per the config.
+
+`geoip-shell configure [options]` : changes geoip-shell configuration
+
+**Options for the `geoip-shell configure` command:**
+
+`-m [whitelist|blacklist]`: Change geoip blocking mode.
+
+`-c <"country codes">`: Change which country codes are included in the whitelist/blacklist (this command replaces all country codes with newly specified ones).
+
+`-f <ipv4|ipv6|"ipv4 ipv6">`: Families (defaults to 'ipv4 ipv6'). Use double quotes for multiple families.
+
+`-u [ripe|ipdeny]`: Change ip lists source.
+
+`-i <[ifaces]|auto|all>`: Change which network interfaces geoip firewall rules are applied to. `auto` will attempt to automatically detect WAN network interfaces. `auto` works correctly in **most** cases but not in **every** case. Don't use `auto` if the machine has no direct connection to WAN. The automatic detection occurs only when manually triggered by the user via this command.
+
+`-l <"[lan_ips]"|auto|none>`: Specify LAN ip's or subnets to exclude from blocking (both ipv4 and ipv6). `auto` will trigger LAN subnets re-detection at every update of the ip lists. When specifying custom ip's or subnets, automatic detection is disabled. This option is only avaiable when using geoip-shell in whitelist mode.
+
+`-t <"[trusted_ips]|none">`: Specify trusted ip's or subnets (anywhere on the Internet) to exclude from geoip blocking (both ipv4 and ipv6).
+
+`-p <[tcp|udp]:[allow|block]:[all|<ports>]>`: specify ports geoip blocking will apply (or not apply) to, for tcp or udp. To specify ports for both tcp and udp, use the `-p` option twice. For more details, read [NOTES.md](NOTES.md), sections 9-11.
+
+`-r <[user_country_code]|none>` : Specify user's country code. Used to prevent accidental lockout of a remote machine. `none` disables this feature.
+
+`-s <"schedule_expression"|disable>` : enables automatic ip lists updates and configures the schedule for the periodic cron job which implements this feature. `disable` disables automatic ip lists updates.
+
+`-o <true|false>` : No backup. If set to 'true', geoip-shell will not create a backup of ip lists and firewall rules after applying changes, and will automatically re-fetch ip lists after each reboot. Default is 'true' for OpenWrt, 'false' for all other systems.
+
+`-a <path>` : Set custom path to directory where backups and the status file will be stored. Default is '/tmp/geoip-shell-data' for OpenWrt, '/var/lib/geoip-shell' for all other systems.
+
+
+`-O <memory|performance>`: specify optimization policy for nftables sets. By default optimizes for low memory consumption if system RAM is less than 2GiB, otherwise optimizes for performance. This option doesn't work with iptables.
+
+`geoip-shell showconfig` : prints the contents of the config file.
+
+
+**geoip-shell-run.sh**: Serves as a proxy to call the -fetch, -apply and -backup scripts with arguments required for each action. Executes the requested actions, depending on the config set by the -install and -manage scripts, and the command line options, and writes to system log when starting and on action completion (or if any errors encountered). If persistence or autoupdates are enabled, the cron jobs (or on OpenWrt, the firewall include script) call this script with the necessary options. If a non-fatal error is encountered during an automatic update function, the script enters sort of a temporary daemon mode where it will re-try the action (up to a certain number of retries) with increasing time intervals. It also implements some logic to account for unexpected issues encountered during the 'restore' action which runs after system reboot to impelement persistnece, such as a missing backup, and in this situation will automatically change its action from 'restore' to 'update' and try to re-fetch and re-apply the ip lists.
+
+`geoip-shell-run add -l <"list_id [list_id] ... [list_id]">` : Fetches ip lists, loads them into ip sets and applies firewall rules for specified list id's.
+A list id has the format of `<country_code>_<family>`. For example, ****US_ipv4** and **GB_ipv6** are valid list id's.
+
+`geoip-shell-run remove -l <"list_ids">` : Removes iplists and firewall rules for specified list id's.
+
+`geoip-shell-run update` : Updates the ip sets for list id's that had been previously configured. Intended for triggering from periodic cron jobs.
+
+`geoip-shell-run restore` : Restore previously downloaded lists from backup (skip fetching). Used by the reboot cron job (or by the firewall include on OpenWrt) to implement persistence.
+
+**geoip-shell-fetch.sh**
+- Fetches ip lists for given list id's from RIPE or from ipdeny. The source is selected during installation. If you want to change the default which is RIPE, install with the `-u ipdeny` option.
+- Parses, validates, compiles the downloaded lists, and saves each one to a separate file.
+- Implements extensive sanity checks at each stage (fetching, parsing, validating and saving) and handles errors if they occur.
+
+(for specifics on how to use the script, run it with the -h option)
+
+**geoip-shell-apply.sh**: directly interfaces with the firewall. Creates or removes ip sets and firewall rules for specified list id's. Sources the lib-apply-ipt or lib-apply-nft script which does most of the actual work.
+
+`geoip-shell-apply add -l <"list_ids">` :
+- Loads ip list files for specified list id's into ip sets and applies firewall rules required for geoip blocking.
+
+List id has the format of `<country_code>_<family>`. For example, **US_ipv4** and **GB_ipv6** are valid list id's.
+
+`geoip-shell-apply remove -l <"list_ids">` :
+- removes ip sets and geoip firewall rules for specified list id's.
+
+**geoip-shell-cronsetup.sh** manages all the cron-related logic and actions. Called by the -manage script. Cron jobs are created based on the settings stored in the config file. Also used to validate cron schedule provided by the user at the time of installation or later.
+
+**geoip-shell-backup.sh**: Creates a backup of current geoip-shell firewall rules and ip sets and current geoip-shell config, or restores them from backup. By default (if you didn't run the installation with the '-o' option), backup will be created after every change to ip sets in the firewall. Backups are automatically compressed and de-compressed with the best utility available to the system, in this order "bzip2, xz, gzip", or simply "cat" as a fallback if neither is available (which generally should never happen on Linux). Only one backup copy is kept. Sources the lib-backup-ipt or the lib-backup-nft script which does most of the actual work.
+
+`geoip-shell-backup create-backup` : Creates a backup of the current firewall state and geoip blocking config.
+
+`geoip-shell-backup restore` : Restores the firewall state and the config from backup. Used by the *run script to implement persistence. Can be manually used for recovery from fault conditions.
+
--- /dev/null
+# Copyright 2024 friendly-bits, antonk (antonk.d3v@gmail.com)
+# This is free software, licensed under the GNU General Public License v3.
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=geoip-shell
+PKG_VERSION:=0.5
+PKG_RELEASE:=2
+PKG_LICENSE:=GPL-3.0-or-later
+PKG_MAINTAINER:=antonk <antonk.d3v@gmail.com>
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=3b56796aea49d7ae1e5ce3de1f5ccfafd36c7f3f
+PKG_SOURCE_URL:=https://github.com/friendly-bits/geoip-shell-openwrt.git
+PKG_MIRROR_HASH:=2a6cb1996fc7c48f146267e193fe1812addeb228adc5fe16a55341509d4a5353
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/geoip-shell/Default
+ CATEGORY:=Network
+ TITLE:=Flexible geoip blocker
+ URL:=https://github.com/friendly-bits/geoip-shell
+ MAINTAINER:=antonk <antonk.d3v@gmail.com>
+ DEPENDS:=+ca-bundle
+ PROVIDES:=geoip-shell
+ PKGARCH:=all
+endef
+
+define Package/geoip-shell
+$(call Package/geoip-shell/Default)
+ TITLE+= with nftables support
+ DEPENDS+= +kmod-nft-core +nftables +firewall4
+ DEFAULT_VARIANT:=1
+ VARIANT:=nftables
+endef
+
+define Package/geoip-shell-iptables
+$(call Package/geoip-shell/Default)
+ TITLE+= with iptables support
+ DEPENDS+= +kmod-ipt-ipset +IPV6:ip6tables +iptables +ipset
+ VARIANT:=iptables
+ CONFLICTS:=geoip-shell firewall4
+endef
+
+define Package/geoip-shell/description/Default
+ Flexible geoip blocker with a user-friendly command line interface (currently no LuCi interface).
+ For readme, please see
+ https://github.com/openwrt/packages/blob/master/net/geoip-shell/OpenWrt-README.md
+endef
+
+define Package/geoip-shell/description
+$(call Package/geoip-shell/description/Default)
+endef
+
+define Package/geoip-shell-iptables/description
+$(call Package/geoip-shell/description/Default)
+endef
+
+define Package/geoip-shell/postinst/Default
+ #!/bin/sh
+ rm "/usr/bin/geoip-shell" 2>/dev/null
+ ln -s "/usr/bin/geoip-shell-manage.sh" "/usr/bin/geoip-shell"
+ [ -s "/etc/geoip-shell/geoip-shell.conf" ] && /usr/bin/geoip-shell configure -z && exit 0
+ logger -s -t "geoip-shell" "Please run 'geoip-shell configure' to complete the setup."
+ exit 0
+endef
+
+define Package/geoip-shell/postinst
+$(call Package/geoip-shell/postinst/Default)
+endef
+
+define Package/geoip-shell-iptables/postinst
+$(call Package/geoip-shell/postinst/Default)
+endef
+
+define Package/geoip-shell/prerm/Default
+ #!/bin/sh
+ sh /usr/lib/geoip-shell/geoip-shell-owrt-uninstall.sh
+ exit 0
+endef
+
+define Package/geoip-shell/prerm
+$(call Package/geoip-shell/prerm/Default)
+endef
+
+define Package/geoip-shell-iptables/prerm
+$(call Package/geoip-shell/prerm/Default)
+endef
+
+define Package/geoip-shell/postrm
+ #!/bin/sh
+ sleep 1
+ echo "Reloading the firewall..."
+ fw4 -q reload
+ exit 0
+endef
+
+define Package/geoip-shell-iptables/postrm
+ #!/bin/sh
+ sleep 1
+ echo "Reloading the firewall..."
+ fw3 -q reload
+ exit 0
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/geoip-shell/install/Default
+
+ $(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/etc/init.d/geoip-shell-init $(1)/etc/init.d
+
+ $(INSTALL_DIR) $(1)/etc/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/etc/geoip-shell/cca2.list $(1)/etc/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/etc/geoip-shell/geoip-shell.const $(1)/etc/geoip-shell
+
+ $(INSTALL_DIR) $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-fetch.sh $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-fw-include.sh $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-backup.sh $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-geoinit.sh $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-run.sh $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-mk-fw-include.sh $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-manage.sh $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-apply.sh $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-detect-lan.sh $(1)/usr/bin
+ $(INSTALL_BIN) $(PKG_BUILD_DIR)/usr/bin/geoip-shell-cronsetup.sh $(1)/usr/bin
+
+ $(INSTALL_DIR) $(1)/usr/lib/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-status.sh $(1)/usr/lib/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-owrt-common.sh $(1)/usr/lib/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-common.sh $(1)/usr/lib/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-owrt-uninstall.sh $(1)/usr/lib/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-arrays.sh $(1)/usr/lib/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-setup.sh $(1)/usr/lib/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-uninstall.sh $(1)/usr/lib/geoip-shell
+
+endef
+
+
+define Package/geoip-shell/install
+$(call Package/geoip-shell/install/Default,$(1))
+ $(INSTALL_DIR) $(1)/usr/lib/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-nft.sh $(1)/usr/lib/geoip-shell
+
+endef
+
+
+define Package/geoip-shell-iptables/install
+$(call Package/geoip-shell/install/Default,$(1))
+ $(INSTALL_DIR) $(1)/usr/lib/geoip-shell
+ $(INSTALL_CONF) $(PKG_BUILD_DIR)/usr/lib/geoip-shell/geoip-shell-lib-ipt.sh $(1)/usr/lib/geoip-shell
+
+endef
+
+$(eval $(call BuildPackage,geoip-shell))
+$(eval $(call BuildPackage,geoip-shell-iptables))
+
+
--- /dev/null
+## **Notes**
+1) On OpenWrt, geoip-shell expects that the default shell (called by the `sh` command) is _ash_, and the automatic shell detection feature implemented for other platforms is disabled on OpenWrt.
+
+2) Firewall rules structure created by geoip-shell:
+ <details> <summary>Read more:</summary>
+
+ ### **iptables**
+ - With **iptables**, all firewall rules created by geoip-shell are in the table `mangle`. The reason to use `mangle` is that this table has a built-in chain called `PREROUTING` which is attached to the `prerouting` hook in the netfilter kernel component. Via a rule in this chain, geoip-shell creates one set of rules which applies to all ingress traffic for a given ip family, rather than having to create and maintain separate rules for chains INPUT and FORWARDING which would be possible in the default `filter` table.
+ - This also means that any rules you might have in the `filter` table will only see traffic which is allowed by geoip-shell rules, which may reduce the CPU load as a side-effect.
+ - Note that **iptables** features separate tables for ipv4 and ipv6, hence geoip-shell creates separate rules for each family (unless the user restricts geoip-shell to a certain family during installation).
+ - Inside the table `mangle`, geoip-shell creates the custom chain `GEOIP-SHELL` and redirects traffic to it via a rule in the `PREROUTING` chain. geoip-shell calls that rule the "enable" rule which can be removed or re-added on-demand with the commands `geoip-shell on` and `geoip-shell off`. If the "enable" rule is not present, system firewall will act as if all other geoip-shell rules (for a given ip family) are not present.
+ - If specific network interfaces were set during installation, the "enable" rule directs traffic to a 2nd custom chain `GEOIP-SHELL_WAN` rather than to the `GEOIP-SHELL` chain. geoip-shell creates rules in the `GEOIP-SHELL_WAN` chain which selectively direct traffic only from the specified network interfaces to the `GEOIP-SHELL` chain.
+ - With iptables, geoip-shell removes the "enable" rule before making any changes to the ip sets and rules, and re-adds it once the changes have been successfully made. This is a precaution measure intended to minimize any chance of potential problems. Typically ip list updates do not take more than a few seconds, and on reasonably fast systems less than a second, so the time when geoip blocking is not enabled is typically very brief.
+
+ ### **nftables**
+ - With **nftables**, all firewall rules created by geoip-shell are in the table named `geoip-shell`, family "inet", which is a term nftables uses for tables applying to both ip families. The `geoip-shell` table includes rules for both ip families and any nftables sets geoip-shell creates. geoip-shell creates 2 chains in that table: `GEOIP-BASE` and `GEOIP-SHELL`. The base chain attaches to netfilter's `prerouting` hook and has a rule which directs traffic to the `GEOIP-SHELL` chain. That rule is the geoip-shell "enable" rule for nftables-based systems which acts exactly like the "enable" rule in the iptables-based systems, except it applies to both ip families.
+ - **nftables** allows for more control over which network interfaces each rule applies to, so when certain network interfaces are specified during installation, geoip-shell specifies these interfaces directly in the rules inside the `GEOIP-SHELL` chain, and so (contrary to iptables-based systems) there is no need in an additional chain.
+ - **nftables** features atomic rules updates, meaning that when issuing multiple nftables commands at once, if any command fails, all changes get cancelled and the system remains in the same state as before. geoip-shell utilizes this feature for fault-tolerance and to completely eliminate time when geoip blocking is disabled during an update of the sets or rules.
+ - **nftables** current version (up to 1.0.8 and probably 1.0.9) has some bugs related to unnecessarily high transient memory consumption when performing certain actions, including adding new sets. These bugs are known and for the most part, already have patches implemented which should eventually roll out to the distributions. This mostly matters for embedded hardware with less than 512MB of memory. geoip-shell works around these bugs as much as possible. One of the workarounds is to avoid using the atomic replacement feature for nftables sets. Instead, when updating sets, geoip-shell first adds new sets one by one, then atomically applies all other changes, including rules changes and removing the old sets. In case of an error during any stage of this process, all changes get cancelled, old rules and sets remain in place and geoip-shell then destroys the new sets. This is less efficient but with current versions of nftables, this actually lowers the minimum memory bar for the embedded devices. Once a new version of nftables will be rolled out to the distros, geoip-shell will adapt the algorithm accordingly.
+
+ ### **nftables and iptables**
+ - With both **nftables** and **iptables**, geoip-shell goes a long way to make sure that firewall rules and ip sets are correct and matching the user-defined config. Automatic corrective mechanisms are implemented which should restore geoip-shell firewall rules in case they do not match the config (which normally should never happen).
+ - geoip-shell implements rules and ip sets "tagging" to distinguish between its own rules and other rules and sets. This way, geoip-shell never makes any changes to any rules or sets which geoip-shell did not create.
+ - When uninstalling, geoip-shell removes all its rules, chains and ip sets.
+
+ </details>
+
+3) geoip-shell uses RIPE as the default source for ip lists. RIPE is a regional registry, and as such, is expected to stay online and free for the foreseeable future. However, RIPE may be fairly slow in some regions. For that reason, I implemented support for fetching ip lists from ipdeny. ipdeny provides aggregated ip lists, meaning in short that there are less entries for same effective geoip blocking, so the machine which these lists are installed on has to do less work when processing incoming connection requests. All ip lists the suite fetches from ipdeny are aggregated lists.
+
+4) The scripts intended as user interface are: **-install**, **-uninstall**, **-manage** (also called by running '**geoip-shell**' after installation) and **check-ip-in-registry.sh**. The -manage script saves the config to a file and implements coherence checks between that file and the actual firewall state. While you can run the other scripts individually, if you make changes to firewall geoip rules, next time you run the -manage script it may insist on reverting those changes since they are not reflected in the config file. The **-backup** script can be used individually. By default, it creates a backup of geoip-shell state after every successful action involving changes to or updates of the ip lists. If you encounter issues, you can use it with the 'restore' command to restore geoip-shell to its previous state. It also restores the config, so the -manage script will not mind.
+
+5) How to manually check firewall rules created by geoip-shell:
+ - With nftables: `nft -t list table inet geoip-shell`. This will display all geoip-shell rules and sets.
+ - With iptables: `iptables -vL -t mangle` and `ip6tables -vL -t mangle`. This will report all geoip-shell rules. To check ipsets created by geoip-shell, use `ipset list -n | grep geoip-shell`. For a more detailed view, use this command: `ipset list -t`.
+
+6) The run, fetch and apply scripts write to syslog in case an error occurs. The run and fetch scripts also write to syslog upon success. To verify that cron jobs ran successfully, on Debian and derivatives run `cat /var/log/syslog | grep geoip-shell`. On other distributions, you may need to figure out how to access the syslog.
+
+7) These scripts will not run in the background consuming resources (except for a short time when triggered by the cron jobs). All the actual blocking is done by the netfilter component in the kernel. The scripts offer an easy and relatively fool-proof interface with netfilter, config persistence, automated ip lists fetching and auto-update.
+
+8) Sometimes ip list source servers are temporarily unavailable and if you're unlucky enough to attempt installation during that time frame, the fetch script will fail which will cause the installation to fail as well. Try again after some time or use another source. Once the installation succeeds, an occasional fetch failure during autoupdate won't cause any issues as last successfully fetched ip list will be used until the next autoupdate cycle succeeds.
+
+9) How to geoblock or allow specific ports (applies to the _-install_ and _-manage_ scripts).
+ The general syntax is: `-p <[tcp|udp]:[allow|block]:[all|<ports>]>`
+ Where `ports` may be any combination of comma-separated individual ports or port ranges (for example: `125-130` or `5,6` or `3,140-145,8`).
+ You can use the `-p` option twice to cover both tcp and udp, for example: `-p tcp:allow:22,23 -p udp:block:128-256,3`
+
+ Examples with the -install script:
+
+ `sh geoip-shell-install -c de -m whitelist -p tcp:allow:125-135,7` - for tcp, allow incoming traffic on ports 125-135 and 7, geoblock incoming traffic on other tcp ports (doesn't affect UDP traffic)
+
+ `sh geoip-shell-install -c de -m blacklist -p udp:allow:3,15-20,1024-2048` - for udp, allow incoming traffic on ports 15-20 and 3, geoblock all other incoming udp traffic (doesn't affect TCP traffic)
+
+ Examples with the -manage script (also called via 'geoip-shell' after installation) :
+
+ `geoip-shell configure -p tcp:block:all` - for tcp, geoblock all ports (default behavior)
+
+ `geoip-shell configure -p udp:allow:all` - for udp, don't geoblock any ports (completely disables geoblocking for udp)
+
+ `geoip-shell configure -p tcp:block:125-135,7` - for tcp, only geoblock incoming traffic on ports 125-135 and 7, allow incoming traffic on all other tcp ports
+
+10) How to remove specific ports assignment:
+
+ use `-p [tcp|udp]:block:all`.
+
+ Example: `geoip-shell configure -p tcp:block:all` will remove prior port-specific rules for the tcp protocol. All tcp packets on all ports will now go through geoip filter.
+
+11) How to make all packets for a specific protocol bypass geoip blocking:
+
+ use `p [tcp|udp]:allow:all`
+
+ Example: `geoip-shell configure -p udp:allow:all` will allow all udp packets on all ports to bypass the geoip filter.
+
+12) Firewall rules persistence, as well as automatic list updates, is implemented via cron jobs: a periodic job running by default on a daily schedule, and a job that runs at system reboot (after 30 seconds delay). Either or both cron jobs can be disabled (run the *install script with the -h option to find out how, or read [DETAILS.md](DETAILS.md)). On OpenWrt, persistence is implemented via an init script and a firewall include rather than via a cron job.
+
+13) You can specify a custom schedule for the periodic cron job by passing an argument to the install script. Run it with the '-h' option for more info.
+
+14) If you want to change the autoumatic update schedule but you don't know the crontab expression syntax, check out https://crontab.guru/ (no affiliation). geoip-shell includes a script which validates cron expressions you request, so don't worry about making a mistake.
+
+15) Note that cron jobs will be run as root.
+
+16) If you have nftables installed but for some reason you are using iptables rules (via the nft_compat kernel module which is provided by packages like nft-iptables etc), you can and probably should install geoip-shell with the option `-w ipt` which will force it to use iptables+ipset. For example: `geoip-shell install -w ipt`.
+
+17) If you upgrade your system from iptables to nftables, you can either re-install geoip-shell and it will then automatically use nftables, or you can use this command without reinstalling: `geoip-shell configure -w nft`, which will remove all iptables rules and ipsets and re-create nftables rules and sets based on your existing config. If you are on OpenWrt, this does not apply: instead, you will need to install the geoip-shell package for nftables-based OpenWrt.
+
+18) To test before deployment:
+ <details> <summary>Read more:</summary>
+
+ - You can run the install script with the "-N true" (N stands for noblock) option to apply all actions and create all firewall rules except the geoip-shell "enable" rule. This way you can make sure that no errors are encountered and check the resulting firewall rules before committing to actual blocking. To enable blocking later, use the command `geoip-shell on`.
+ - You can run the install script with the "-n true" (n stands for nopersistence) option to skip creating the reboot cron job which implements persistence and with the '-s disable' option to skip creating the autoupdate cron job. This way, a simple machine restart should undo all changes made to the firewall (unless you have some software which restores firewall settings after reboot). For example: `sh geoip-shell-install -c <country_code> -m whitelist -n true -s disable`. To enable persistence and automatic updates later, reinstall without both options.
+
+ </details>
+
+19) How to get yourself locked out of your remote server and how to prevent this:
+ <details> <summary>Read more:</summary>
+
+ There are 4 scenarios where you can lock yourself out of your remote server with this suite:
+ - install in whitelist mode without including your country in the whitelist
+ - install in whitelist mode and later remove your country from the whitelist
+ - blacklist your country (either during installation or later)
+ - your remote machine has no dedicated WAN interfaces (it is behind a router) and you incorrectly specified LAN subnets the machine belongs to
+
+ As to the first 3 scenarios, the -manage script will warn you in each of these situations and wait for your input (you can press Y and do it anyway), but that depends on you correctly specifying your country code during installation. The -install script will ask you about it. If you prefer, you can skip by pressing Enter - that will disable this feature. If you do provide the -install script your country code, it will be added to the config file on your machine and the -manage script will read the value and perform the necessary checks, during installation or later when you want to make changes to the blacklist/whitelist.
+
+ As to the 4th scenario, geoip-shell implements LAN subnets automatic detection and asks you to verify that the detected LAN subnets are correct. If you are not sure how to verify this, reading the [SETUP.md](SETUP.md) file should help. Read the documentation, follow it and you should be fine. If you specify your own LAN ip addresses or subnets (rather than using the automatically detected ones), geoip-shell validates them, meaning it makes sure that they appear to be valid by checking them with regex, and asking the kernel. This does not prevent a situation where you provide technically valid ip's/subnets which however are not actually used in the LAN your machine belongs to. So double-check. Also note that LAN subnets **may** change in the future, for example if someone changes some config in the router or replaces the router etc. For this reason, when installing the suite for **all** network interfaces, the -install script offers to enable automatic detection of LAN subnets at each periodic update. If for some reason you do not enable this feature, you will need to make the necessary precautions when changing LAN subnets your remote machine belongs to.
+
+ As an additional measure, during installation you can specify trusted ip addresses anywhere on the Internet which will not be geoblocked, so in case something goes very wrong, you will be able to regain access to the remote machine. This does require to have a known static public ip address or subnet. To specify ip's, call the install script with this option: `-t <"[trusted_ips]">`.
+
+ </details>
--- /dev/null
+## geoip-shell on OpenWrt
+
+Currently geoip-shell fully supports OpenWrt, both with firewall3 + iptables and with firewall4 + nftables, while providing the same user interface and features as on any other Linux system. So usage is the same as described in the main [README.md](README.md) file, while some parts of the backend (namely persistence implementation), some defaults and the location of the data directory are different.
+
+The _geoip-shell-iptables_ package is for firewall3+iptables OpenWrt systems, while the _geoip-shell_ package is for firewall4+nftables OpenWrt systems.
+
+A LuCi interface has not been implemented (yet). As on any other Linux system, all user interface is via a command line (but my goal is to make this an easy experience regardless). If this discourages you from using geoip-shell, please let me know. A few people asking for this feature may motivate me to prioritize it.
+
+## Usage after installation via ipk
+After installing the ipk package, geoip-shell will be inactive until you configure it. To do so, run `geoip-shell configure` and follow the interactive setup. You can also run `geoip-shell -h` before that to find out about configuration options and then append certain options after the `configure` action, for example: `geoip-shell configure -c "de nl" -m whitelist` to configure geoip-shell in whitelist mode for countries Germany and Netherlands. The interactive setup will ask you about all the important options but some niche options are only available non-interactively (for example if you want to configure geoblocking for certain selection of ports). You can always change these settings after initial configuration via the same `geoip-shell configure` command.
+
+## Uninstallation of geoip-shell if installed via ipk
+- For nftables-based systems: `opkg remove geoip-shell`
+- For iptables-based systems: `opkg remove geoip-shell-iptables`
+
+## Resources management on OpenWrt
+Because OpenWrt typically runs on embedded devices with limited memory and very small flash storage, geoip-shell implements some techniques to conserve these resources as much as possible:
+- During installation on OpenWrt, comments and the debug code are stripped from the scripts to reduce their size.
+- Only the required modules are installed, depending on the system (iptables- or nftables- based).
+- I've researched the most memory-efficient way for loading ip lists into nftables sets. Currently, nftables has some bugs related to this process which may cause unnecessarily high memory consumption. geoip-shell works around these bugs as much as possible.
+- To avoid unnecessary flash storage wear, all filesystem-related tasks geoip-shell does which do not require permanent storage are done in the /tmp directory which in the typical OpenWrt installation is mounted on the ramdisk.
+- Some defaults on OpenWrt are different to further minimize flash storage wear (read below).
+
+### Scripts size
+Typical geoip-shell installation on an OpenWrt system currently consumes around 120kB. The distribution folder itself weighs quite a bit more (mainly because of documentation) but you can install via an ipk which doesn't remain in storage after installation, or if installing via the -install script, delete the distribution folder and free up space taken by it. geoip-shell does not install its documentation into the system.
+I have some plans to reduce that size by compressing certain scripts which provide user interface and implementing automatic extraction to /tmp when the user wants to access them, but this is not yet implemented.
+
+To view all installed geoip-shell scripts in your system and their sizes, run `ls -lh /usr/bin/geoip-shell-* /usr/lib/geoip-shell/*`.
+
+## Persistence on OpenWrt
+- Persistence of geoip firewall rules and ip sets works differenetly on OpenWrt than on other Linuxes, since geoip-shell has an OpenWrt-specific procd init script.
+- The cron job which implements persistence on other Linuxes and runs at reboot is not created on OpenWrt.
+- geoip-shell integrates into firewall3 or firewall4 via what's called a "firewall include". On OpenWrt, a firewall include is a setting which tells firewall3 or firewall4 to do something specific in response to certain events.
+- The only task of the init script for geoip-shell is to call the geoip-shell-mk-fw-include.sh script, which makes sure that the firewall include exists and is correct, if not then creates the include.
+- The firewall include is what does the actual persistence work. geoip-shell firewall include triggers on firewall reload (which happens either at reboot or when the system decides that a reload of the firewall is necessary, or when initiated by the user).
+- When triggered, the include script calls the -run script with the "restore" action.
+- The -run script verifies that geoip nftables/iptables rules and ip sets exist, and if not then it restores them from backup, or (if backup doesn't exist) initiates re-fetch of the ip lists and then re-creates the rules and the ip sets.
+- By default, geoip-shell does not create backups on OpenWrt because typically the permanent storage is very small and prone to wear.
+- Automatic updates of ip lists on OpenWrt are triggered from a cron job like on other Linuxes.
+
+## Defaults for OpenWrt
+Generally the defaults are the same as for other systems, except:
+- the data directory which geoip-shell uses to store the status file and the backups is by default in `/tmp/geoip-shell-data`, rather than in `/var/lib/geoip-shell` as on other Linux systems. This is to avoid flash wear. You can change this by running the install script with the `-a <path>` option, or after installation via the command `geoip-shell configure -a <path>`.
+- the 'nobackup' option is set to 'true', which configures geoip-shell to not create backups of the ip lists. With this option, geoip-shell will work as usual, except after reboot (and for iptables-based systems, after firewall restart) it will re-fetch the ip lists, rather than loading them from backup. You can change this by running the -install script with the `-o false` option (`-o` stands for nobackup), or after installation via the command `geoip-shell configure -o false`. To have persistent ip list backups, you will also need to change the data directory path as explained above.
+- if using geoip-shell on a router with just a few MB of embedded flash storage, consider either leaving the nobackup and datadir path defaults as is, or connecting an external storage device to your router (preferably formatted to ext4) and configuring a directory on it as your geoip-shell data directory, then enabling automatic backups. For example, if your external storage device is mounted on _/mnt/somedevice_, you can do all this via this command: `geoip-shell configure -a /mnt/somedevice/geoip-shell-data -o false`.
+- the default ip lists source for OpenWrt is ipdeny (rather than ripe). While ipdeny is a 3rd party, they provide aggregated lists which consume less memory (on nftables-based systems the ip lists are automatically optimized after loading into memory, so there the source does not matter, but a smaller initial ip lists size will cause a smaller memory consumption spike while loading the ip list).
+
+This is about it for this document. Much more information is available in the main [README.md](README.md) and in the extra _.md_ files inside the Documentation directory. If you have any questions, contact me in this thread:
+https://forum.openwrt.org/t/geoip-shell-flexible-geoip-blocker-for-linux-now-supports-openwrt/189611
+
+If you use this project, I will be happy to hear about your experience in the above thread. If for some reason geoip-shell is not working for you, I will want to know that as well so I can improve it.
+
--- /dev/null
+# **geoip-shell**
+Geoip blocker for Linux. Supports both **nftables** and **iptables** firewall management utilities.
+
+The idea of this project is making geoip blocking easy on (almost) any Linux system, no matter which hardware, including desktop, server, VPS or router, while also being reliable and providing flexible configuration options for the advanced users.
+
+Supports running on OpenWrt. Supports ipv4 and ipv6.
+
+## Table of contents
+- [Main Features](#main-features)
+- [Usage](#usage)
+- [Pre-requisites](#pre-requisites)
+- [Notes](#notes)
+- [In detail](#in-detail)
+- [OpenWrt](#openwrt)
+- [Privacy](#privacy)
+
+## **Main Features**
+* Core functionality is creating either a whitelist or a blacklist in the firewall using automatically downloaded ip lists for user-specified countries.
+
+* ip lists are fetched either from **RIPE** (regional Internet registry for Europe, the Middle East and parts of Central Asia) or from **ipdeny**. Both sources provide updated ip lists for all regions.
+
+* All firewall rules and ip sets required for geoip blocking to work are created automatically during installation or setup.
+
+* Implements optional (enabled by default) persistence of geoip blocking across system reboots and automatic updates of the ip lists.
+
+* After installation, a utility is provided to check geoip status and firewall rules or change country codes and geoip-related config.
+
+### **Reliability**:
+- Downloaded ip lists go through validation which safeguards against application of corrupted or incomplete lists to the firewall.
+
+<details> <summary>Read more:</summary>
+
+- With nftables, utilizes nftables atomic rules replacement to make the interaction with the system firewall fault-tolerant and to completely eliminate time when geoip is disabled during an automatic update.
+- All scripts perform extensive error detection and handling.
+- All user input is validated to reduce the chance of accidental mistakes.
+- Verifies firewall rules coherence after each action.
+- Automatic backup of geoip-shell state (optional, enabled by default except on OpenWrt).
+- Automatic recovery of geoip-shell firewall rules after a reboot (a.k.a persistence) or in case of unexpected errors.
+- Supports specifying trusted ip addresses anywhere on the Internet which will bypass geoip blocking to make it easier to regain access to the machine if something goes wrong.
+</details>
+
+### **Efficiency**:
+- Utilizes the native nftables sets (or, with iptables, the ipset utility) which allows to create efficient firewall rules with thousands of ip ranges.
+
+<details><summary>Read more:</summary>
+
+- With nftables, optimizes geoip blocking for low memory consumption or for performance, depending on the RAM capacity of the machine and on user preference. With iptables, automatic optimization is implemented.
+- Ip list parsing and validation are implemented through efficient regex processing which is very quick even on slow embedded CPU's.
+- Implements smart update of ip lists via data timestamp checks, which avoids unnecessary downloads and reconfiguration of the firewall.
+- Uses the "prerouting" hook in kernel's netfilter component which shortens the path unwanted packets travel in the system and may reduce the CPU load if any additional firewall rules process incoming traffic down the line.
+- Supports the 'ipdeny' source which provides aggregated ip lists (useful for embedded devices with limited memory).
+- Scripts are only active for a short time when invoked either directly by the user or by the init script/reboot cron job/update cron job.
+
+</details>
+
+### **User-friendliness**:
+- Good command line interface and useful console messages.
+
+<details><summary>Read more:</summary>
+
+- Extensive and (usually) up-to-date documentation.
+- Sane settings are applied during installation by default, but also lots of command-line options for advanced users or for special corner cases are provided.
+- Provides a utility (symlinked to _'geoip-shell'_) for the user to change geoip config (turn geoip on or off, change country codes, change geoip blocking mode, change ip lists source, change the cron schedule etc).
+- Provides a command _('geoip-shell status')_ to check geoip blocking status, which also reports if there are any issues.
+- In case of an error or invalid user input, provides useful error messages to help with troubleshooting.
+- All main scripts display detailed 'usage' info when executed with the '-h' option.
+- The code should be fairly easy to read and includes a healthy amount of comments.
+</details>
+
+### **Compatibility**:
+- Since the project is written in POSIX-compliant shell code, it is compatible with virtually every Linux system (as long as it has the [pre-requisites](#pre-requisites)). It even works well on simple embedded routers with 8MB of flash storage and 128MB of memory (for nftables, 256MB is recommended if using large ip lists such as the one for US until the nftables team releases a fix reducing memory consumption).
+
+<details><summary>Read more:</summary>
+
+- Supports running on OpenWrt.
+- The project avoids using non-common utilities by implementing their functionality in custom shell code, which makes it faster and compatible with a wider range of systems.
+</details>
+
+## **Usage**
+
+If you want to change geoip blocking config or check geoip blocking status, you can do that via the provided utilities.
+A selection of options is given here, for additional options run `geoip-shell -h` or read [NOTES.md](NOTES.md)and [DETAILS.md](DETAILS.md).
+
+**To check current geoip blocking status:** `geoip-shell status`. For a list of all firewall rules in the geoip chain and for a detailed count of ip ranges in each ip list: `geoip-shell status -v`.
+
+**To add or remove ip lists for countries:** `geoip-shell <add|remove> -c <"country_codes">`
+
+_<details><summary>Examples:</summary>_
+- example (to add ip lists for Germany and Netherlands): `geoip-shell add -c "DE NL"`
+- example (to remove the ip list for Germany): `geoip-shell remove -c DE`
+</details>
+
+**To enable or disable geoip blocking:** `geoip-shell <on|off>`
+
+**To change ip lists source:** `geoip-shell configure -u <ripe|ipdeny>`
+
+**To change geoip blocking mode:** `geoip-shell configure -m <whitelist|blacklist>`
+
+**To have certain trusted ip addresses or subnets bypass geoip blocking:** `geoip-shell configure -t <["ip_addresses"]|none>`. `none` removes previously set trusted ip addresses.
+
+**To have certain LAN ip addresses or subnets bypass geoip blocking:** `geoip-shell configure -l <["ip_addresses"]|auto|none>`. `auto` will automatically detect LAN subnets (only use this if the machine has no dedicated WAN interfaces). `none` removes previously set LAN ip addresses. This is only needed when using geoip-shell in whitelist mode, and typically only if the machine has no dedicated WAN network interfaces. Otherwise you should apply geoip blocking only to those WAN interfaces, so traffic from your LAN to the machine will bypass the geoip filter.
+
+**To change protocols and ports geoblocking applies to:** `geoip-shell configure -p <[tcp|udp]:[allow|block]:[all|<ports>]>`
+
+_(for detailed description of this feature, read [NOTES.md](NOTES.md), sections 9-11)_
+
+**To enable or change the automatic update schedule:** `geoip-shell configure -s <"schedule_expression">`
+
+_<details><summary>Example</summary>_
+
+`geoip-shell configure -s "1 4 * * *"`
+
+</details>
+
+**To disable automatic updates of ip lists:** `geoip-shell configure -s disable`
+
+**To update or re-install geoip-shell:** run the -install script from the (updated) distribution directory. It will first run the -uninstall script of the older/existing version, then install the new version.
+
+On OpenWrt, if installed via an ipk package: `opkg uninstall <geoip-shell|geoip-shell-iptables>`
+
+## **Pre-requisites**
+- **Linux**. Tested on Debian-like systems and on OPENWRT, should work on any desktop/server distribution and possibly on some other embedded distributions.
+- **POSIX-compliant shell**. Works on most relatively modern shells, including **bash**, **dash**, **ksh93**, **yash** and **ash** (including Busybox **ash**). Likely works on **mksh** and **lksh**. Other flavors of **ksh** may or may not work _(please let me know if you try them)_. Does **not** work on **tcsh** and **zsh**.
+
+- **nftables** - firewall management utility. Supports nftables 1.0.2 and higher (may work with earlier versions but I do not test with them).
+- OR **iptables** - firewall management utility. Should work with any relatively modern version.
+- for **iptables**, requires the **ipset** utility - install it using your distribution's package manager
+- standard Unix utilities including **tr**, **cut**, **sort**, **wc**, **awk**, **sed**, **grep**, **pgrep**, **pidof** and **logger** which are included with every server/desktop linux distribution (and with OpenWrt). Both GNU and non-GNU versions are supported, including BusyBox implementation.
+- **wget** or **curl** or **uclient-fetch** (OpenWRT-specific utility).
+- for the autoupdate functionality, requires the **cron** service to be enabled.
+
+## **Notes**
+For some helpful notes about using this suite, read [NOTES.md](NOTES.md).
+
+## **In detail**
+For specifics about each script, read [DETAILS.md](DETAILS.md).
+
+## **OpenWrt**
+For information about OpenWrt support, read the [OpenWrt README](OpenWrt-README.md).
+
+## **Privacy**
+geoip-shell does not share your data with anyone.
+If you are using the ipdeny source then note that they are a 3rd party which has its own data privacy policy.
+
--- /dev/null
+# Notes about questions asked during the initial setup
+
+## **'Your shell 'A' is supported by geoip-shell but a faster shell 'B' is available in this system, using it instead is recommended. Would you like to use 'B' with geoip-shell?'**
+
+geoip-shell will work with the shell A you ran it from, but it will work faster with a shell B which is also installed in your system. Your call - type in `y` or `n`. The recommendation is clear. If you type in `y`, geoip-shell installer will launch itself using shell B and configure geoip-shell to always use shell B.
+
+## **'I'm running under an unsupported/unknown shell shell 'A' but a supported shell 'B' is available in this system, using it instead is recommended. Would you like to use 'B' with geoip-shell?'**
+
+Whether geoip-shell will work correctly or at all with the shell A you ran it from is unknown, but a supported shell B is available in your system. You can try to run geoip-shell with A but the recommendation is clear. Generally, geoip-shell works best with shells `ash` and `dash`. If you type in `y`, geoip-shell installer will launch itself using shell B and configure geoip-shell to always use shell B.
+
+## **'Please enter your country code':**
+
+If you answer this question, the _-manage_ script will check that changes in ip lists which you request to make will not block your own country and warn you if they will. This applies both to the initial setup, and to any subsequent changes to the ip lists which you may want to make in the future. The idea behind this is to make this tool as fool-proof as possible. This information is written to the geoip-shell config file (only readable by root) on your device and geoip-shell does not send it anywhere. You can remove this config entry any time via the command `geoip-shell configure -r none`. You can skip the question by pressing Enter if you wish.
+
+## **'Does this machine have dedicated WAN interface(s)? [y|n]':**
+
+Answering this question is mandatory because the firewall is configured differently, depending on the answer. Answering it incorrectly may cause unexpected results, including having no geoip blocking or losing remote access to your machine.
+
+A machine may have dedicated WAN network interfaces if it's a router or in certain cases a VPS (virtual private server). When geoip-shell is configured to work with certain network interfaces, geoip firewall rules are applied only to traffic arriving from these interfaces, and all other traffic is left alone.
+
+Otherwise, geoip rules are applied to traffic arriving from all network interfaces, except the loopback interface. Besides that, when geoip-shell is installed in whitelist mode and you picked `n` in this question, additional firewall rules may be created which add LAN subnets or ip's to the whitelist in order to avoid blocking them (you can approve or configure that on the next step of the installation). This does not guarantee that your LAN subnets will not be blocked by another rule in another table, and in fact, if you prefer to block some of them then having them in whitelist will not matter. This is because while the 'drop' verdict is final, the 'accept' verdict is not.
+
+## **'Autodetected ipvX LAN subnets: ... [c]onfirm, c[h]ange, [s]kip or [a]bort installation?'**
+
+You will see this question if installing the suite in whitelist mode and you chose `n` in the previous question. The reason why under these conditions this question is asked is to avoid blocking your LAN from accessing your machine.
+
+If you are absolutely sure that you will not need to access the machine from the LAN then you can type in 's' to skip.
+Otherwise I recommend to add LAN subnets to the whitelist. You can either confirm the automatically detected subnets, or specify any combination of ip's and subnets on your LAN which you wish to allow connections from.
+
+The autodetection code should, in most cases, detect correct LAN subnets. However, it is up to you to verify that it's done its job correctly.
+
+One way to do that is by typing in 'c' to confirm and once installation completes, verifying that you can still access the machine from LAN (note that if you have an active connection to that machine, for example through SSH, it will likely continue to work until disconnection even if autodetection of LAN subnets did not work out correctly).
+Of course, this is risky in cases where you do not have physical access to the machine.
+
+Another way to do that is by checking which ip address you need to access the machine from, and then verifying that said ip address is included in one of the autodetected subnets. For example, if your other machine's ip is `192.168.1.5` and one of the autodetected subnets is `192.168.1.0/24` then you will want to check that `192.168.1.5` is included in subnet `192.168.1.0/24`. Provided you don't know how to make this calculation manually, you can use the `grepcidr` tool this way:
+`echo "192.168.1.5" | grepcidr "192.168.1.0/24"`
+
+The syntax to check in multiple subnets (note the double quotes):
+`echo "[ip]" | grepcidr "[subnet1] [subnet2] ... [subnetN]"`
+
+(also works for ipv6 addresses)
+
+If the ip address is in range, grepcidr will print it, otherwise it will not. You may need to install grepcidr using your distribution's package manager.
+
+Alternatively, you can use an online service which will do the same check for you. There are multiple services providing this functionality. To find them, look up 'IP Address In CIDR Range Check' in your preferred online search engine.
+
+A third way to do that is by examining your network configuration (in your router) and making sure that the autodetected subnets match those in the configuration.
+
+If you find out that the subnets were detected incorrectly, you can type in 'h' and manually enter the correct subnets or ip addresses which you want to allow connections from.
+
+## **'A[u]to-detect LAN subnets when updating ip lists or keep this config c[o]nstant?'**
+
+As the above question, you will see this one if installing the suite in whitelist mode and you answered `n` to the question about WAN interfaces. You will not see this question if you specified custom subnets or ips in the previous question.
+
+The rationale for this question is that network configuration may change, and if it does then previously correctly configured LAN subnets may become irrelevant.
+
+If you type in 'a', each time geoip firewall rules are initialized or updated, LAN subnets will be re-detected.
+
+If you type in 'c' then whatever subnets have been detected during installation will be kept forever (until you re-install geoip-shell).
+
+Generally if automatic detection worked as expected during initial setup, most likely it will work correctly every time, so it is a good idea to allow auto-detection with each update. If not then, well, not.
+
+## **Extra options**
+
+- geoip-shell supports an additional setting: trusted ip's or subnets. Currently this is only configurable by running the -install script with the option `-t <"[trusted_ips]">` (or after installation via the `geoip-shell configure -t <"[trusted_ips]">` command). You can specify trusted ip addresses or subnets anywhere on the LAN or on the Internet. To remove this setting later, run `geoip-shell configure -t none`.
+
+- geoip-shell supports lots of additional command-line options. You can find out more by running `sh geoip-shell-install.sh -h`, or after installation `geoip-shell -h`, or by reading [NOTES.md](NOTES.md) and [DETAILS.md](DETAILS.md).
\ No newline at end of file
include $(TOPDIR)/rules.mk
PKG_NAME:=hcxdumptool
-PKG_VERSION:=6.3.2
+PKG_VERSION:=6.3.4
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/zerbea/hcxdumptool/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=1f6fe2b4757a5f20adeb6cc469693b4d0e8c49ba290450e10a37699d9f9a2a42
+PKG_HASH:=a45140960bd5de28085d549e1a9ccf2c08af143984a138c28ac4092c6a52a5d2
PKG_MAINTAINER:=Andreas Nilsen <adde88@gmail.com>
PKG_LICENSE:=MIT
PKG_NAME:=keepalived
PKG_VERSION:=2.2.8
-PKG_RELEASE:=5
+PKG_RELEASE:=6
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.keepalived.org/software
+++ /dev/null
-#!/bin/sh
-
-# shellcheck source=/dev/null
-. /lib/functions/keepalived/hotplug.sh
-
-set_service_name ucitrack
-
-set_reload_if_sync
-
-add_sync_file /etc/config/ucitrack
-
-keepalived_hotplug
include $(TOPDIR)/rules.mk
PKG_NAME:=lighttpd
-PKG_VERSION:=1.4.75
+PKG_VERSION:=1.4.76
PKG_RELEASE:=1
# release candidate ~rcX testing; remove for release
#PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x
-PKG_HASH:=8b721ca939d312afaa6ef31dcbd6afb5161ed385ac828e6fccd4c5b76be189d6
+PKG_HASH:=8cbf4296e373cfd0cedfe9d978760b5b05c58fdc4048b4e2bcaf0a61ac8f5011
PKG_MAINTAINER:=Glenn Strauss <gstrauss@gluelogic.com>
PKG_LICENSE:=BSD-3-Clause
include $(TOPDIR)/rules.mk
PKG_NAME:=modemmanager
-PKG_SOURCE_VERSION:=1.22.0
-PKG_RELEASE:=12
+PKG_VERSION:=1.22.0
+PKG_RELEASE:=13
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://gitlab.freedesktop.org/mobile-broadband/ModemManager.git
+PKG_SOURCE_VERSION:=$(PKG_VERSION)
PKG_MIRROR_HASH:=cd67d0833481146cc630299ffd2e7afdedb2c90f9d8ce3cc348af1fffacc87de
PKG_MAINTAINER:=Nicholas Smith <nicholas@nbembedded.com>
PKG_NAME:=mosquitto
PKG_VERSION:=2.0.18
-PKG_RELEASE:=2
+PKG_RELEASE:=3
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://mosquitto.org/files/source/
PKG_NAME:=natmap
PKG_VERSION:=20240303
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/heiher/natmap/releases/download/$(PKG_VERSION)
option forward_target ''
option forward_port ''
option notify_script ''
+ option log_stdout '1'
+ option log_stderr '1'
'port:port' \
'forward_target:host' \
'forward_port:port' \
- 'notify_script:file'
+ 'notify_script:file' \
+ 'log_stdout:bool:1' \
+ 'log_stderr:bool:1'
}
natmap_instance() {
procd_append_param command -e /usr/lib/natmap/update.sh
procd_set_param respawn
- procd_set_param stdout 1
- procd_set_param stderr 1
+ procd_set_param stdout "${log_stdout}"
+ procd_set_param stderr "${log_stderr}"
procd_close_instance
}
include $(TOPDIR)/rules.mk
PKG_NAME:=netbird
-PKG_VERSION:=0.26.6
+PKG_VERSION:=0.27.3
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/netbirdio/netbird/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=009656248dba9b0e9969c7658178c50ebef7866e96de75b79b9b15d8c2ba1a47
+PKG_HASH:=f172798f164b7484b231adc656eaf1090b6f7d9e7d7c3753f1e611bdf82ae738
PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com>
PKG_LICENSE:=BSD-3-Clause
include $(TOPDIR)/rules.mk
PKG_NAME:=nginx
-PKG_VERSION:=1.25.4
-PKG_RELEASE:=2
+PKG_VERSION:=1.25.5
+PKG_RELEASE:=1
PKG_SOURCE:=nginx-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://nginx.org/download/
-PKG_HASH:=760729901acbaa517996e681ee6ea259032985e37c2768beef80df3a877deed9
+PKG_HASH:=2fe2294f8af4144e7e842eaea884182a84ee7970e11046ba98194400902bbec0
PKG_MAINTAINER:=Thomas Heil <heil@terminal-consulting.de> \
Christian Marangi <ansuelsmth@gmail.com>
Support file for LuCI in nginx. Include custom nginx configuration, autostart script for uwsgi.
endef
+define Package/nginx-mod-luci/preinst
+#!/bin/sh
+grep -r -l ngx_http_ubus_module.so /etc/nginx/module.d | grep -v ngx_http_ubus.module | while read file; do
+ echo "Removing old LuCI module load file for 'ngx_http_ubus.so' in $$file."
+ rm -f $$file
+done
+exit 0
+endef
+
define Package/nginx-mod-luci/install
$(INSTALL_DIR) $(1)/etc/nginx/conf.d
$(INSTALL_CONF) ./files-luci-support/luci.locations $(1)/etc/nginx/conf.d/
endef
define Download/nginx-mod-geoip2
+ SOURCE_DATE:=2020-01-22
VERSION:=1cabd8a1f68ea3998f94e9f3504431970f848fbf
URL:=https://github.com/leev/ngx_http_geoip2_module.git
- MIRROR_HASH:=b4bd8517f6595f28e9cea5370045df476e0f7fa9ca3611d71ba85c518f1a7eda
+ MIRROR_HASH:=f3d2a1af5c34812b5a34453457ba6a4d8093c92085aa7f76c46a1c4185c9735c
PROTO:=git
endef
endef
define Download/nginx-mod-headers-more
+ SOURCE_DATE:=2022-07-17
VERSION:=bea1be3bbf6af28f6aa8cf0c01c07ee1637e2bd0
URL:=https://github.com/openresty/headers-more-nginx-module.git
- MIRROR_HASH:=3617bbf7a935208a1d8d5f86a8f9b770f6987e4d2b5663a9ab1b777217e3066b
+ MIRROR_HASH:=569abadc137b5b52bdcc33b00aa21f6d266cb84fb891795da2c4e101c4898abe
PROTO:=git
endef
define Download/nginx-mod-brotli
+ SOURCE_DATE:=2020-04-23
VERSION:=25f86f0bac1101b6512135eac5f93c49c63609e3
URL:=https://github.com/google/ngx_brotli.git
- MIRROR_HASH:=c85cdcfd76703c95aa4204ee4c2e619aa5b075cac18f428202f65552104add3b
+ MIRROR_HASH:=680c56be79e7327cb8df271646119333d2f6965a3472bc7043721625fa4488f5
PROTO:=git
endef
define Download/nginx-mod-rtmp
+ SOURCE_DATE:=2018-12-07
VERSION:=f0ea62342a4eca504b311cd5df910d026c3ea4cf
URL:=https://github.com/ut0mt8/nginx-rtmp-module.git
- MIRROR_HASH:=d3f58066f0f858ed79f7f2b0c9b89de2ccc512c94ab3d0625f6dcff3df0b72c1
+ MIRROR_HASH:=9c98d886ae4ea3708bb0bca55f8df803418a407e0ffc6df56341bd76ad39cba8
PROTO:=git
endef
define Download/nginx-mod-ts
+ SOURCE_DATE:=2017-12-04
VERSION:=ef2f874d95cc75747eb625a292524a702aefb0fd
URL:=https://github.com/arut/nginx-ts-module.git
- MIRROR_HASH:=73938950bb286d40d9e54b0994d1a63827340c1156c72eb04d7041b25b20ec18
+ MIRROR_HASH:=3f144d4615a4aaa1215435cd06ae4054ea12206d5b38306321420f7acc62aca8
PROTO:=git
endef
define Download/nginx-mod-naxsi
+ SOURCE_DATE:=2022-09-14
VERSION:=d714f1636ea49a9a9f4f06dba14aee003e970834
URL:=https://github.com/nbs-system/naxsi.git
- MIRROR_HASH:=bd006686721a68d43f052f0a4f00e9ff99fb2abfbc4dcf8194a3562fe4e5c08b
+ MIRROR_HASH:=b0cef5fbf842f283eb5f0686ddd1afcd07d83abd7027c8cfb3e84a2223a34797
PROTO:=git
endef
define Download/nginx-mod-lua
+ SOURCE_DATE:=2023-08-19
VERSION:=c89469e920713d17d703a5f3736c9335edac22bf
URL:=https://github.com/openresty/lua-nginx-module.git
- MIRROR_HASH:=dd66465f65c094a1ddfff2035bff4da870b7c6b7e033d307a9806a6df290a1a5
+ MIRROR_HASH:=c3bdf1b23f0a63991b5dcbd1f8ee150e6f893b43278e8600e4e0bb42a6572db4
PROTO:=git
endef
define Download/nginx-mod-lua-resty-core
+ SOURCE_DATE:=2023-09-09
VERSION:=2e2b2adaa61719972fe4275fa4c3585daa0dcd84
URL:=https://github.com/openresty/lua-resty-core.git
- MIRROR_HASH:=4bfc267fd027161f88fcbeacce38e6bd13ba894a581c2d6dfe78ee270b1a473c
+ MIRROR_HASH:=c5f3df92fd72eac5b54497c039aca0f0d9ea1d87223f1e3a54365ba565991874
PROTO:=git
endef
define Download/nginx-mod-lua-resty-lrucache
+ SOURCE_DATE:=2023-08-06
VERSION:=52f5d00403c8b7aa8a4d4f3779681976b10a18c1
URL:=https://github.com/openresty/lua-resty-lrucache.git
- MIRROR_HASH:=618a972574b6b1db1eebf4046d9a471ac03ec092bb825136ba975928d4af2351
+ MIRROR_HASH:=0833e0114948af4edb216c5c34b3f1919f534b298f4fa29739544f7c9bb8a08d
PROTO:=git
endef
define Download/nginx-mod-dav-ext
+ SOURCE_DATE:=2018-12-17
VERSION:=f5e30888a256136d9c550bf1ada77d6ea78a48af
URL:=https://github.com/arut/nginx-dav-ext-module.git
- MIRROR_HASH:=70bb4c3907f4b783605500ba494e907aede11f8505702e370012abb3c177dc5b
+ MIRROR_HASH:=c574e60ffab5f6e5d8bea18aab0799c19cd9a84f3d819b787e9af4f0e7867b52
PROTO:=git
endef
define Download/nginx-mod-ubus
+ SOURCE_DATE:=2020-09-06
VERSION:=b2d7260dcb428b2fb65540edb28d7538602b4a26
URL:=https://github.com/Ansuel/nginx-ubus-module.git
- MIRROR_HASH:=472cef416d25effcac66c85417ab6596e634a7a64d45b709bb090892d567553c
+ MIRROR_HASH:=515bb9d355ad80916f594046a45c190a68fb6554d6795a54ca15cab8bdd12fda
PROTO:=git
endef
define Download/nginx-mod-$(1) +=
SUBDIR:=nginx-mod-$(1)
- FILE:=nginx-mod-$(1)-$$$$(VERSION).tar.xz
+ FILE:=nginx-mod-$(1)-$$$$(subst -,.,$$$$(SOURCE_DATE))~$$$$(call version_abbrev,$$$$(VERSION)).tar.zst
endef
endef
$(foreach m,$(PKG_MOD_EXTRA),$(eval $(call Module/Download,$(m))))
$(eval $(call Download,nginx-mod-$(1)))
$(eval $(Download/nginx-mod-$(1)))
mkdir -p $(PKG_BUILD_DIR)/nginx-mod-$(1)
- xzcat $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR)/nginx-mod-$(1) $(TAR_OPTIONS) --strip-components 1
+ zstdcat $(DL_DIR)/$(FILE) | tar -C $(PKG_BUILD_DIR)/nginx-mod-$(1) $(TAR_OPTIONS) --strip-components 1
endef
define Build/Prepare
define Package/nginx-mod-$(1)/install
$(INSTALL_DIR) $$(1)/usr/lib/nginx/modules
+ $(INSTALL_DIR) $$(1)/etc/nginx/module.d
$(foreach m,$(3),
- $(CP) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(m)_module.so $$(1)/usr/lib/nginx/modules
+ $(CP) $$(PKG_INSTALL_DIR)/usr/lib/nginx/modules/$(m)_module.so $$(1)/usr/lib/nginx/modules && \
+ echo "load_module /usr/lib/nginx/modules/$(m)_module.so;" > $$(1)/etc/nginx/module.d/$(m).module
)
$(call Module/nginx-mod-$(1)/install,$$(1))
endef
Add support for brotli compression module.))
$(eval $(call BuildModule,naxsi,,ngx_http_naxsi, \
Enable NAXSI module.))
-$(eval $(call BuildModule,geoip2,+@NGINX_STREAM_CORE_MODULE +libmaxminddb,ngx_http_geoip2 ngx_stream_geoip2, \
+$(eval $(call BuildModule,geoip2,+@NGINX_STREAM_CORE_MODULE +nginx-mod-stream +libmaxminddb,ngx_http_geoip2 ngx_stream_geoip2, \
Enable MaxMind GeoIP2 module.))
# TODO: remove after a transition period (together with pkg nginx-util):
EOT
fi
- if [ ! -f "/etc/nginx/module.d/luci.module" ]; then
- cat <<EOT >> /etc/nginx/module.d/luci.module
+ if [ ! -f "/etc/nginx/module.d/ngx_http_ubus.module" ]; then
+ cat <<EOT > /etc/nginx/module.d/ngx_http_ubus.module
load_module /usr/lib/nginx/modules/ngx_http_ubus_module.so;
EOT
fi
--- a/auto/options
+++ b/auto/options
-@@ -411,8 +411,7 @@ $0: warning: the \"--with-sha1-asm\" opt
+@@ -413,8 +413,7 @@ $0: warning: the \"--with-sha1-asm\" opt
--test-build-solaris-sendfilev) NGX_TEST_BUILD_SOLARIS_SENDFILEV=YES ;;
*)
include $(TOPDIR)/rules.mk
PKG_NAME:=ntp
-PKG_VERSION:=4.2.8p15
-PKG_RELEASE:=4
+PKG_VERSION:=4.2.8p17
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/
-PKG_HASH:=f65840deab68614d5d7ceb2d0bb9304ff70dcdedd09abb79754a87536b849c19
+PKG_HASH:=103dd272e6a66c5b8df07dce5e9a02555fcd6f1397bdfb782237328e89d3a866
PKG_LICENSE:=NTP
PKG_LICENSE_FILES:=COPYRIGHT html/copyright.html
reference NTP servers by the local daemon. At least one is required,
and two or more are recommended (unless you have an extremely available
local server). They should be picked to be geographically divergent,
-and preferrably reachable via different network carriers to protect
+and preferably reachable via different network carriers to protect
against network partitions, etc. They should also be high-quality
time providers (i.e. having stable, accurate clock sources).
often of unknown/unverified quality, and you use them at your own
risk.
-Early millenial versions of Windows (2000, XP, etc) used NTP only
+Early millennial versions of Windows (2000, XP, etc) used NTP only
to _initially set_ the clock to approximately 100ms accuracy (and
-not maintain sychronization), so the bar wasn't set very high.
-Since then, requirements for higher-qualty timekeeping have
+not maintain synchronization), so the bar wasn't set very high.
+Since then, requirements for higher-quality timekeeping have
arisen (e.g. multi-master SQL database replication), but most ISPs
have not kept up with the needs of their users.
+++ /dev/null
-From 082a504cfcc046c3d8adaae1164268bc94e5108a Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Sat, 31 Jul 2021 10:51:41 -0700
-Subject: [PATCH] libntp: Do not use PTHREAD_STACK_MIN on glibc
-
-In glibc 2.34+ PTHREAD_STACK_MIN is not a compile-time constant which
-could mean different stack sizes at runtime on different architectures
-and it also causes compile failure. Default glibc thread stack size
-or 64Kb set by ntp should be good in glibc these days.
-
-Upstream-Status: Pending
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- libntp/work_thread.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/libntp/work_thread.c
-+++ b/libntp/work_thread.c
-@@ -41,7 +41,7 @@
- #ifndef THREAD_MINSTACKSIZE
- # define THREAD_MINSTACKSIZE (64U * 1024)
- #endif
--#ifndef __sun
-+#if !defined(__sun) && !defined(__GLIBC__)
- #if defined(PTHREAD_STACK_MIN) && THREAD_MINSTACKSIZE < PTHREAD_STACK_MIN
- # undef THREAD_MINSTACKSIZE
- # define THREAD_MINSTACKSIZE PTHREAD_STACK_MIN
PKG_NAME:=pbr
PKG_VERSION:=1.1.4
-PKG_RELEASE:=r7
-PKG_LICENSE:=GPL-3.0-or-later
+PKG_RELEASE:=16
+PKG_LICENSE:=AGPL-3.0-or-later
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
include $(INCLUDE_DIR)/package.mk
-define Package/pbr-service/Default
+define Package/pbr/default
SECTION:=net
CATEGORY:=Network
SUBMENU:=Routing and Redirection
DEPENDS+=+!BUSYBOX_DEFAULT_AWK:gawk
DEPENDS+=+!BUSYBOX_DEFAULT_GREP:grep
DEPENDS+=+!BUSYBOX_DEFAULT_SED:sed
- PROVIDES:=pbr-service
CONFLICTS:=vpnbypass vpn-policy-routing
+ PROVIDES:=pbr
PKGARCH:=all
endef
define Package/pbr
-$(call Package/pbr-service/Default)
+$(call Package/pbr/default)
TITLE+= with nft/nft set support
DEPENDS+=+kmod-nft-core +kmod-nft-nat +nftables-json
- DEFAULT_VARIANT:=1
VARIANT:=nftables
- PROVIDES+=pbr vpnbypass vpn-policy-routing
+ DEFAULT_VARIANT:=1
+ PROVIDES+=vpnbypass vpn-policy-routing
endef
define Package/pbr-iptables
-$(call Package/pbr-service/Default)
+$(call Package/pbr/default)
TITLE+= with iptables/ipset support
DEPENDS+=+ipset +iptables +kmod-ipt-ipset +iptables-mod-ipopt
VARIANT:=iptables
endef
define Package/pbr-netifd
-$(call Package/pbr-service/Default)
+$(call Package/pbr/default)
TITLE+= with netifd support
VARIANT:=netifd
endef
-define Package/pbr-service/description
+define Package/pbr/default/description
This service enables policy-based routing for WAN interfaces and various VPN tunnels.
endef
define Package/pbr/description
- $(call Package/pbr-service/description)
+ $(call Package/pbr/default/description)
This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft.
endef
define Package/pbr-iptables/description
- $(call Package/pbr-service/description)
+ $(call Package/pbr/default/description)
This version supports OpenWrt with firewall3/ipset/iptables.
endef
define Package/pbr-netifd/description
- $(call Package/pbr-service/description)
+ $(call Package/pbr/default/description)
This version supports OpenWrt with both firewall3/ipset/iptables and firewall4/nft.
This version uses OpenWrt native netifd/tables to set up interfaces. This is WIP.
endef
-define Package/pbr-service/conffiles
+define Package/pbr/default/conffiles
/etc/config/pbr
endef
-Package/pbr/conffiles = $(Package/pbr-service/conffiles)
-Package/pbr-iptables/conffiles = $(Package/pbr-service/conffiles)
-Package/pbr-netifd/conffiles = $(Package/pbr-service/conffiles)
+Package/pbr/conffiles = $(Package/pbr/default/conffiles)
+Package/pbr-iptables/conffiles = $(Package/pbr/default/conffiles)
+Package/pbr-netifd/conffiles = $(Package/pbr/default/conffiles)
define Build/Configure
endef
define Build/Compile
endef
-define Package/pbr-service/install
+define Package/pbr/default/install
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/etc/init.d/pbr $(1)/etc/init.d/pbr
$(SED) "s|^\(readonly PKG_VERSION\).*|\1='$(PKG_VERSION)-$(PKG_RELEASE)'|" $(1)/etc/init.d/pbr
# $(INSTALL_DATA) ./files/etc/hotplug.d/iface/70-pbr $(1)/etc/hotplug.d/iface/70-pbr
define Package/pbr/install
-$(call Package/pbr-service/install,$(1))
+$(call Package/pbr/default/install,$(1))
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
$(INSTALL_DIR) $(1)/usr/share/pbr
$(INSTALL_DATA) ./files/usr/share/pbr/firewall.include $(1)/usr/share/pbr/firewall.include
$(INSTALL_DIR) $(1)/usr/share/nftables.d
$(CP) ./files/usr/share/nftables.d/* $(1)/usr/share/nftables.d/
+ $(INSTALL_DIR) $(1)/etc/uci-defaults
+ $(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr-nft $(1)/etc/uci-defaults/91-pbr-nft
endef
define Package/pbr-iptables/install
-$(call Package/pbr-service/install,$(1))
+$(call Package/pbr/default/install,$(1))
$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
$(INSTALL_DATA) ./files/etc/hotplug.d/firewall/70-pbr $(1)/etc/hotplug.d/firewall/70-pbr
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/etc/config/pbr.iptables $(1)/etc/config/pbr
+ $(INSTALL_DIR) $(1)/etc/uci-defaults
+ $(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr-iptables $(1)/etc/uci-defaults/91-pbr-iptables
endef
define Package/pbr-netifd/install
-$(call Package/pbr-service/install,$(1))
+$(call Package/pbr/default/install,$(1))
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/etc/config/pbr $(1)/etc/config/pbr
$(INSTALL_DIR) $(1)/etc/uci-defaults
- $(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr $(1)/etc/uci-defaults/91-pbr
+ $(INSTALL_BIN) ./files/etc/uci-defaults/91-pbr-netifd $(1)/etc/uci-defaults/91-pbr-netifd
endef
define Package/pbr/postinst
# check if we are on real system
if [ -z "$${IPKG_INSTROOT}" ]; then
uci -q delete firewall.pbr || true
- echo "Stopping pbr service... "
- /etc/init.d/pbr stop quiet && echo "OK" || echo "FAIL"
+ echo -n "Stopping pbr service... "
+ /etc/init.d/pbr stop quiet >/dev/null 2>&1 && echo "OK" || echo "FAIL"
echo -n "Removing rc.d symlink for pbr... "
/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
fi
# check if we are on real system
if [ -z "$${IPKG_INSTROOT}" ]; then
uci -q delete firewall.pbr || true
- echo "Stopping pbr-iptables service... "
- /etc/init.d/pbr stop quiet && echo "OK" || echo "FAIL"
+ echo -n "Stopping pbr-iptables service... "
+ /etc/init.d/pbr stop quiet >/dev/null 2>&1 && echo "OK" || echo "FAIL"
echo -n "Removing rc.d symlink for pbr-iptables... "
/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
fi
# check if we are on real system
if [ -z "$${IPKG_INSTROOT}" ]; then
uci -q delete firewall.pbr || true
- echo "Stopping pbr-netifd service... "
- /etc/init.d/pbr stop quiet && echo "OK" || echo "FAIL"
+ echo -n "Stopping pbr-netifd service... "
+ /etc/init.d/pbr stop quiet >/dev/null 2>&1 && echo "OK" || echo "FAIL"
echo -n "Removing rc.d symlink for pbr... "
/etc/init.d/pbr disable && echo "OK" || echo "FAIL"
+ echo -n "Cleaning up /etc/iproute2/rt_tables... "
+ if sed -i '/pbr_/d' /etc/iproute2/rt_tables; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+ echo -n "Cleaning up /etc/config/network... "
+ if sed -i '/ip.table.*pbr_/d' /etc/config/network; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+ echo -n "Restarting Network... "
+ if /etc/init.d/network restart >/dev/null 2>&1; then
+ echo "OK"
+ else
+ echo "FAIL"
+ fi
+
fi
exit 0
endef
readonly packageLockFile="/var/run/${packageName}.lock"
readonly dnsmasqFileDefault="/var/dnsmasq.d/${packageName}"
readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m'
-readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m'
readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
+readonly _OKB_='\033[1;34m\xe2\x9c\x93\033[0m'
+readonly __OKB__='\033[1;34m[\xe2\x9c\x93]\033[0m'
+readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m'
readonly __FAIL__='\033[0;31m[\xe2\x9c\x97]\033[0m'
readonly _ERROR_='\033[0;31mERROR\033[0m'
readonly _WARNING_='\033[0;33mWARNING\033[0m'
readonly ssConfigFile='/etc/shadowsocks'
readonly torConfigFile='/etc/tor/torrc'
readonly xrayIfacePrefix='xray_'
+readonly rtTablesFile='/etc/iproute2/rt_tables'
# package config options
procd_boot_timeout=
output_ok() { output 1 "$_OK_"; output 2 "$__OK__\\n"; }
output_okn() { output 1 "$_OK_\\n"; output 2 "$__OK__\\n"; }
+output_okb() { output 1 "$_OKB_"; output 2 "$__OKB__\\n"; }
+output_okbn() { output 1 "$_OKB_\\n"; output 2 "$__OKB__\\n"; }
output_fail() { output 1 "$_FAIL_"; output 2 "$__FAIL__\\n"; }
output_failn() { output 1 "$_FAIL_\\n"; output 2 "$__FAIL__\\n"; }
# shellcheck disable=SC2317
esac
eval "$1"='${iface}'
}
-pbr_get_gateway() {
+pbr_get_gateway4() {
local iface="$2" dev="$3" gw
network_get_gateway gw "$iface" true
if [ -z "$gw" ] || [ "$gw" = '0.0.0.0' ]; then
is_lan() { local d; network_get_device d "$1"; str_contains "$d" 'br-lan'; }
is_l2tp() { local p; network_get_protocol p "$1"; [ "${p:0:4}" = "l2tp" ]; }
is_mac_address() { expr "$1" : '[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]$' >/dev/null; }
-is_netifd_table() { local iface="$1"; [ "$(uci_get 'network' "$iface" 'ip4table')" = "${packageName}_${iface%6}" ]; }
+is_netifd_table() { grep -q "ip.table.*$1" /etc/config/network; }
+is_netifd_table_interface() { local iface="$1"; [ "$(uci_get 'network' "$iface" 'ip4table')" = "${packageName}_${iface%6}" ]; }
is_oc() { local p; network_get_protocol p "$1"; [ "${p:0:11}" = "openconnect" ]; }
is_ovpn() { local d; uci_get_device d "$1"; [ "${d:0:3}" = "tun" ] || [ "${d:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${d}/tun_flags" ]; }
is_ovpn_valid() { local dev_net dev_ovpn; uci_get_device dev_net "$1"; dev_ovpn="$(uci_get 'openvpn' "$1" 'dev')"; [ -n "$dev_net" ] && [ -n "$dev_ovpn" ] && [ "$dev_net" = "$dev_ovpn" ]; }
# shellcheck disable=SC2155
get_tor_traffic_port() { local i="$(grep -m1 TransPort "$torConfigFile" | awk -F: '{print $2}')"; echo "${i:-9040}"; }
get_xray_traffic_port() { local i="${1//$xrayIfacePrefix}"; [ "$i" = "$1" ] && unset i; echo "$i"; }
-get_rt_tables_id() { local iface="$1"; grep "${ipTablePrefix}_${iface}\$" '/etc/iproute2/rt_tables' | awk '{print $1;}'; }
-get_rt_tables_next_id() { echo "$(($(sort -r -n '/etc/iproute2/rt_tables' | grep -o -E -m 1 "^[0-9]+")+1))"; }
-get_rt_tables_non_pbr_next_id() { echo "$(($(grep -v "${ipTablePrefix}_" '/etc/iproute2/rt_tables' | sort -r -n | grep -o -E -m 1 "^[0-9]+")+1))"; }
+get_rt_tables_id() { local iface="$1"; grep "${ipTablePrefix}_${iface}\$" "$rtTablesFile" | awk '{print $1;}'; }
+get_rt_tables_next_id() { echo "$(($(sort -r -n "$rtTablesFile" | grep -o -E -m 1 "^[0-9]+")+1))"; }
+get_rt_tables_non_pbr_next_id() { echo "$(($(grep -v "${ipTablePrefix}_" "$rtTablesFile" | sort -r -n | grep -o -E -m 1 "^[0-9]+")+1))"; }
# shellcheck disable=SC2016
resolveip_to_ipt() { resolveip "$@" | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d'; }
resolveip_to_ipt4() { resolveip_to_ipt -4 "$@"; }
errorResolverNotSupported) r="Resolver set (${resolver_set}) is not supported on this system!";;
errorServiceDisabled) r="The ${packageName} service is currently disabled!";;
errorNoWanGateway) r="The ${serviceName} service failed to discover WAN gateway!";;
+ errorNoWanInterface) r="The %s inteface not found, you need to set the 'pbr.config.procd_wan_interface' option!";;
+ errorNoWanInterfaceHint) r="Refer to https://docs.openwrt.melmac.net/pbr/#procd_wan_interface.";;
errorIpsetNameTooLong) r="The ipset name '%s' is longer than allowed 31 characters!";;
errorNftsetNameTooLong) r="The nft set name '%s' is longer than allowed 255 characters!";;
errorUnexpectedExit) r="Unexpected exit or service termination: '%s'!";;
errorPolicyProcessInsertionFailedIpv4) r="Insertion failed for IPv4 for policy '%s'!";;
errorInterfaceRoutingEmptyValues) r="Received empty tid/mark or interface name when setting up routing!";;
errorFailedToResolve) r="Failed to resolve '%s'!";;
+ errorTryFailed) r="Command failed: %s";;
errorNftFileInstall) r="Failed to install fw4 nft file '%s'!";;
errorDownloadUrlNoHttps) r="Failed to download '%s', HTTPS is not supported!";;
errorDownloadUrl) r="Failed to download '%s'!";;
_build_ifaces_supported() { is_supported_interface "$1" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${1} "; }
_find_firewall_wan_zone() { [ "$(uci_get 'firewall' "$1" 'name')" = "wan" ] && firewallWanZone="$1"; }
local i param="$1"
+ local dev4 dev6
if [ -z "$ifacesSupported" ]; then
config_load 'firewall'
config_foreach _find_firewall_wan_zone 'zone'
config_foreach _build_ifaces_supported 'interface'
fi
wanIface4="$procd_wan_interface"
- [ -z "$wanGW4" ] && network_get_gateway wanGW4 "$wanIface4"
+ network_get_device dev4 "$wanIface4"
+ [ -z "$dev4" ] && network_get_physdev dev4 "$wanIface4"
+ [ -z "$wanGW4" ] && pbr_get_gateway4 wanGW4 "$wanIface4" "$dev4"
if [ -n "$ipv6_enabled" ]; then
wanIface6="$procd_wan6_interface"
- [ -z "$wanGW6" ] && network_get_gateway6 wanGW6 "$wanIface6"
+ network_get_device dev6 "$wanIface6"
+ [ -z "$dev6" ] && network_get_physdev dev6 "$wanIface6"
+ [ -z "$wanGW6" ] && pbr_get_gateway6 wanGW6 "$wanIface6" "$dev6"
fi
+
case "$param" in
on_boot|on_start)
[ -n "$wanIface4" ] && output 2 "Using wan interface (${param}): $wanIface4 \\n"
load_network "$param"
[ "$procd_wan_ignore_status" -eq '0' ] || return 0
[ "$param" = 'on_boot' ] || procd_boot_timeout='1'
+ if [ -z "$(uci_get network "$procd_wan_interface")" ]; then
+ state add 'errorSummary' 'errorNoWanInterface' "$procd_wan_interface"
+ state add 'errorSummary' 'errorNoWanInterfaceHint'
+ return 1
+ fi
while [ -z "$wanGW" ] ; do
load_network "$param"
if [ $((sleepCount)) -gt $((procd_boot_timeout)) ] || [ -n "$wanGW" ]; then break; fi
fi
}
-cleanup_rt_tables() { sed -i "/${ipTablePrefix}_/d" '/etc/iproute2/rt_tables'; sync; }
+cleanup_rt_tables() {
+ local i
+# shellcheck disable=SC2013
+ for i in $(grep -oh "${ipTablePrefix}_.*" $rtTablesFile); do
+ ! is_netifd_table "$i" && sed -i "/${i}/d" "$rtTablesFile"
+ done
+ sync
+}
cleanup_main_chains() {
local i
fi
}
+try() {
+ if ! "$@"; then
+ state add 'errorSummary' 'errorTryFailed' "$*"
+ return 1
+ fi
+}
+
interface_routing() {
local action="$1" tid="$2" mark="$3" iface="$4" gw4="$5" dev="$6" gw6="$7" dev6="$8" priority="$9"
local dscp s=0 i ipv4_error=1 ipv6_error=1
fi
case "$action" in
create)
- if is_netifd_table "$iface"; then
+ if is_netifd_table_interface "$iface"; then
ipv4_error=0
- $ip_bin rule del table "$tid" >/dev/null 2>&1
- $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
+ $ip_bin -4 rule del table "$tid" >/dev/null 2>&1
+ try "$ip_bin" -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
if is_nft_mode; then
- nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1
- nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1
- nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1
+ try nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1
+ try nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1
+ try nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1
else
ipt -t mangle -N "${iptPrefix}_MARK_${mark}" || ipv4_error=1
ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j MARK --set-xmark "${mark}/${fw_mask}" || ipv4_error=1
fi
if [ -n "$ipv6_enabled" ]; then
ipv6_error=0
- $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
+ $ip_bin -6 rule del table "$tid" >/dev/null 2>&1
+ try "$ip_bin" -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$((priority-1))" || ipv6_error=1
fi
else
- if ! grep -q "$tid ${ipTablePrefix}_${iface}" '/etc/iproute2/rt_tables'; then
- sed -i "/${ipTablePrefix}_${iface}/d" '/etc/iproute2/rt_tables'
+ if ! grep -q "$tid ${ipTablePrefix}_${iface}" "$rtTablesFile"; then
+ sed -i "/${ipTablePrefix}_${iface}/d" "$rtTablesFile"
sync
- echo "$tid ${ipTablePrefix}_${iface}" >> '/etc/iproute2/rt_tables'
+ echo "$tid ${ipTablePrefix}_${iface}" >> "$rtTablesFile"
sync
fi
- $ip_bin rule del table "$tid" >/dev/null 2>&1
- $ip_bin route flush table "$tid" >/dev/null 2>&1
+ $ip_bin -4 rule del table "$tid" >/dev/null 2>&1
+ $ip_bin -4 route flush table "$tid" >/dev/null 2>&1
if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then
ipv4_error=0
if [ -z "$gw4" ]; then
- $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
+ try "$ip_bin" -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
else
- $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
+ try "$ip_bin" -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
fi
# shellcheck disable=SC2086
while read -r i; do
i="$(echo "$i" | sed 's/ onlink$//')"
idev="$(echo "$i" | grep -Eso 'dev [^ ]*' | awk '{print $2}')"
if ! is_supported_iface_dev "$idev"; then
- $ip_bin -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1
+ try "$ip_bin" -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1
fi
done << EOF
$($ip_bin -4 route list table main)
EOF
- $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
+ try "$ip_bin" -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
if is_nft_mode; then
- nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1
- nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1
- nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1
+ try nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1
+ try nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1
+ try nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1
else
ipt -t mangle -N "${iptPrefix}_MARK_${mark}" || ipv4_error=1
ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j MARK --set-xmark "${mark}/${fw_mask}" || ipv4_error=1
fi
if [ -n "$ipv6_enabled" ]; then
ipv6_error=0
+ $ip_bin -6 rule del table "$tid" >/dev/null 2>&1
+ $ip_bin -6 route flush table "$tid" >/dev/null 2>&1
if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then
if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then
- $ip_bin -6 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv6_error=1
- elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then
- $ip_bin -6 route add default via "$gw6" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+ try "$ip_bin" -6 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv6_error=1
+ elif "$ip_bin" -6 route list table main | grep -q " dev $dev6 "; then
+ "$ip_bin" -6 route add default via "$gw6" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
while read -r i; do
i="$(echo "$i" | sed 's/ linkdown$//')"
i="$(echo "$i" | sed 's/ onlink$//')"
# shellcheck disable=SC2086
- $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1
+ try "$ip_bin" -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1
done << EOF
$($ip_bin -6 route list table main | grep " dev $dev6 ")
EOF
else
- $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
- $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+ try "$ip_bin" -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+ try "$ip_bin" -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
fi
fi
- $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" >/dev/null 2>&1 || ipv6_error=1
+ try "$ip_bin" -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$((priority-1))" >/dev/null 2>&1 || ipv6_error=1
fi
fi
if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then
dscp="$(uci_get "$packageName" 'config' "${iface}_dscp")"
if is_nft_mode; then
if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then
- nft add rule inet "$nftTable" "${nftPrefix}_prerouting ${nftIPv4Flag} dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s=1
+ try nft add rule inet "$nftTable" "${nftPrefix}_prerouting ${nftIPv4Flag} dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s=1
if [ -n "$ipv6_enabled" ]; then
- nft add rule inet "$nftTable" "${nftPrefix}_prerouting ${nftIPv6Flag} dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s=1
+ try nft add rule inet "$nftTable" "${nftPrefix}_prerouting ${nftIPv6Flag} dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s=1
fi
fi
if [ "$iface" = "$icmp_interface" ]; then
- nft add rule inet "$nftTable" "${nftPrefix}_output ${nftIPv4Flag} protocol icmp goto ${nftPrefix}_mark_${mark}" || s=1
+ try nft add rule inet "$nftTable" "${nftPrefix}_output ${nftIPv4Flag} protocol icmp goto ${nftPrefix}_mark_${mark}" || s=1
if [ -n "$ipv6_enabled" ]; then
- nft add rule inet "$nftTable" "${nftPrefix}_output ${nftIPv6Flag} protocol icmp goto ${nftPrefix}_mark_${mark}" || s=1
+ try nft add rule inet "$nftTable" "${nftPrefix}_output ${nftIPv6Flag} protocol icmp goto ${nftPrefix}_mark_${mark}" || s=1
fi
fi
else
;;
delete|destroy)
$ip_bin rule del table "$tid" >/dev/null 2>&1
- if ! is_netifd_table "$iface"; then
+ if ! is_netifd_table_interface "$iface"; then
$ip_bin route flush table "$tid" >/dev/null 2>&1
- sed -i "/${ipTablePrefix}_${iface}\$/d" '/etc/iproute2/rt_tables'
+ sed -i "/${ipTablePrefix}_${iface}\$/d" "$rtTablesFile"
sync
fi
return "$s"
;;
reload_interface)
- is_netifd_table "$iface" && return 0;
+ is_netifd_table_interface "$iface" && return 0;
ipv4_error=0
$ip_bin rule del table "$tid" >/dev/null 2>&1
- if ! is_netifd_table "$iface"; then
+ if ! is_netifd_table_interface "$iface"; then
$ip_bin route flush table "$tid" >/dev/null 2>&1
fi
if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then
if [ -z "$gw4" ]; then
- $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
+ try "$ip_bin" -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
else
- $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
+ try "$ip_bin" -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
fi
- $ip_bin rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
+ try "$ip_bin" rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
fi
if [ -n "$ipv6_enabled" ]; then
ipv6_error=0
if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then
if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then
- $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1
+ try "$ip_bin" -6 route add unreachable default table "$tid" || ipv6_error=1
elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then
while read -r i; do
# shellcheck disable=SC2086
- $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1
+ try "$ip_bin" -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1
done << EOF
$($ip_bin -6 route list table main | grep " dev $dev6 ")
EOF
else
- $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
- $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+ try "$ip_bin" -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
+ try "$ip_bin" -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
fi
fi
- $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
+ try "$ip_bin" -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
fi
if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then
s=0
[ -z "$ifaceMark" ] && ifaceMark="$(printf '0x%06x' "$wan_mark")"
[ -z "$ifacePriority" ] && ifacePriority="$wan_ip_rules_priority"
- if [ "$action" = 'pre-init' ]; then
- pbr_get_gateway6 gw6 "$iface" "$dev6"
- [ -n "$gw6" ] && ipv6_enabled=1
- [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_non_pbr_next_id)"
- eval "pre_init_mark_${iface//-/_}"='$ifaceMark'
- eval "pre_init_priority_${iface//-/_}"='$ifacePriority'
- eval "pre_init_tid_${iface//-/_}"='$ifaceTableID'
- ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))"
- ifacePriority="$((ifacePriority + 1))"
- ifaceTableID="$((ifaceTableID + 1))"
- return 0
- fi
-
-# TODO: if interfaces are started out of order the rt_tables ID may be incorrect
-# use the expected_tid_${iface} ???
- ifaceTableID="$(get_rt_tables_id "$iface")"
- [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)"
- eval "mark_${iface//-/_}"='$ifaceMark'
- eval "tid_${iface//-/_}"='$ifaceTableID'
- pbr_get_gateway gw4 "$iface" "$dev"
- pbr_get_gateway6 gw6 "$iface" "$dev6"
- dispGw4="${gw4:-0.0.0.0}"
- dispGw6="${gw6:-::/0}"
- [ "$iface" != "$dev" ] && dispDev="$dev"
- if is_default_dev "$dev"; then
- [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__"
- fi
- displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
-
case "$action" in
+ pre_init)
+ [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_non_pbr_next_id)"
+ eval "pre_init_mark_${iface//-/_}"='$ifaceMark'
+ eval "pre_init_priority_${iface//-/_}"='$ifacePriority'
+ eval "pre_init_tid_${iface//-/_}"='$ifaceTableID'
+ ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))"
+ ifacePriority="$((ifacePriority - 1))"
+ ifaceTableID="$((ifaceTableID + 1))"
+ return 0
+ ;;
create)
+ ifaceTableID="$(get_rt_tables_id "$iface")"
+ [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)"
+ eval "mark_${iface//-/_}"='$ifaceMark'
+ eval "tid_${iface//-/_}"='$ifaceTableID'
+ pbr_get_gateway4 gw4 "$iface" "$dev"
+ pbr_get_gateway6 gw6 "$iface" "$dev6"
+ dispGw4="${gw4:-0.0.0.0}"
+ dispGw6="${gw6:-::/0}"
+ [ "$iface" != "$dev" ] && dispDev="$dev"
+ if is_default_dev "$dev"; then
+ [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__"
+ fi
+ displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
output 2 "Setting up routing for '$displayText' "
if interface_routing 'create' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"; then
json_add_gateway 'create' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" "$dispStatus"
gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
- output_ok
+ if is_netifd_table_interface "$iface"; then output_okb; else output_ok; fi
else
state add 'errorSummary' 'errorFailedSetup' "$displayText"
output_fail
fi
;;
create_user_set)
+ ifaceTableID="$(get_rt_tables_id "$iface")"
+ [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)"
+ eval "mark_${iface//-/_}"='$ifaceMark'
+ eval "tid_${iface//-/_}"='$ifaceTableID'
+ pbr_get_gateway4 gw4 "$iface" "$dev"
+ pbr_get_gateway6 gw6 "$iface" "$dev6"
+ dispGw4="${gw4:-0.0.0.0}"
+ dispGw6="${gw6:-::/0}"
+ [ "$iface" != "$dev" ] && dispDev="$dev"
+ if is_default_dev "$dev"; then
+ [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__"
+ fi
+ displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
interface_routing 'create_user_set' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"
;;
destroy)
+ ifaceTableID="$(get_rt_tables_id "$iface")"
+ [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)"
+ eval "mark_${iface//-/_}"='$ifaceMark'
+ eval "tid_${iface//-/_}"='$ifaceTableID'
+ pbr_get_gateway4 gw4 "$iface" "$dev"
+ pbr_get_gateway6 gw6 "$iface" "$dev6"
+ dispGw4="${gw4:-0.0.0.0}"
+ dispGw6="${gw6:-::/0}"
+ [ "$iface" != "$dev" ] && dispDev="$dev"
+ if is_default_dev "$dev"; then
+ [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__"
+ fi
+ displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
output 2 "Removing routing for '$displayText' "
interface_routing 'destroy' "${ifaceTableID}" "${ifaceMark}" "${iface}"
- output_ok
+ if is_netifd_table_interface "$iface"; then output_okb; else output_ok; fi
;;
reload)
+ ifaceTableID="$(get_rt_tables_id "$iface")"
+ [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)"
+ eval "mark_${iface//-/_}"='$ifaceMark'
+ eval "tid_${iface//-/_}"='$ifaceTableID'
+ pbr_get_gateway4 gw4 "$iface" "$dev"
+ pbr_get_gateway6 gw6 "$iface" "$dev6"
+ dispGw4="${gw4:-0.0.0.0}"
+ dispGw6="${gw6:-::/0}"
+ [ "$iface" != "$dev" ] && dispDev="$dev"
+ if is_default_dev "$dev"; then
+ [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__"
+ fi
+ displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
;;
reload_interface)
+ ifaceTableID="$(get_rt_tables_id "$iface")"
+ [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)"
+ eval "mark_${iface//-/_}"='$ifaceMark'
+ eval "tid_${iface//-/_}"='$ifaceTableID'
+ pbr_get_gateway4 gw4 "$iface" "$dev"
+ pbr_get_gateway6 gw6 "$iface" "$dev6"
+ dispGw4="${gw4:-0.0.0.0}"
+ dispGw6="${gw6:-::/0}"
+ [ "$iface" != "$dev" ] && dispDev="$dev"
+ if is_default_dev "$dev"; then
+ [ "$verbosity" = '1' ] && dispStatus="$_OK_" || dispStatus="$__OK__"
+ fi
+ displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
if [ "$iface" = "$reloadedIface" ]; then
output 2 "Reloading routing for '$displayText' "
if interface_routing 'reload_interface' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"; then
json_add_gateway 'reload_interface' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" "$dispStatus"
gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
- output_ok
+ if is_netifd_table_interface "$iface"; then output_okb; else output_ok; fi
else
state add 'errorSummary' 'errorFailedReload' "$displayText"
output_fail
esac
# ifaceTableID="$((ifaceTableID + 1))"
ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))"
- ifacePriority="$((ifacePriority + 1))"
+ ifacePriority="$((ifacePriority - 2))"
return $s
}
is_wan_up "$param" || return 1
interface_process 'all' 'prepare'
- config_foreach interface_process 'interface' 'pre-init'
+ config_foreach interface_process 'interface' 'pre_init'
case "$param" in
on_boot)
# echo "$_SEPARATOR_"
# ip rule list | grep "${packageName}_"
echo "$_SEPARATOR_"
- tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0
+ tableCount="$(grep -c "${packageName}_" $rtTablesFile)" || tableCount=0
wan_tid=$(($(get_rt_tables_next_id)-tableCount))
i=0; while [ $i -lt "$tableCount" ]; do
echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)"
echo "$_SEPARATOR_"
echo "Routes/IP Rules"
- tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0
+ tableCount="$(grep -c "${packageName}_" $rtTablesFile)" || tableCount=0
if [ -n "$set_d" ]; then route; else route | grep '^default'; fi
if [ -n "$set_d" ]; then ip rule list; fi
wan_tid=$(($(get_rt_tables_next_id)-tableCount))
+++ /dev/null
-#!/bin/sh /etc/rc.common
-# Copyright 2020-2022 Stan Grishin (stangri@melmac.ca)
-# shellcheck disable=SC1091,SC2018,SC2019,SC3043,SC3057,SC3060
-
-# sysctl net.ipv4.conf.default.rp_filter=1
-# sysctl net.ipv4.conf.all.rp_filter=1
-
-# shellcheck disable=SC2034
-START=94
-# shellcheck disable=SC2034
-USE_PROCD=1
-
-if type extra_command >/dev/null 2>&1; then
- extra_command 'status' "Generates output required to troubleshoot routing issues
- Use '-d' option for more detailed output
- Use '-p' option to automatically upload data under VPR paste.ee account
- WARNING: while paste.ee uploads are unlisted, they are still publicly available
- List domain names after options to include their lookup in report"
- extra_command 'version' 'Show version information'
- extra_command 'on_firewall_reload' ' Run service on firewall reload'
- extra_command 'on_interface_reload' ' Run service on indicated interface reload'
-else
-# shellcheck disable=SC2034
- EXTRA_COMMANDS='on_firewall_reload on_interface_reload status version'
-# shellcheck disable=SC2034
- EXTRA_HELP=" status Generates output required to troubleshoot routing issues
- Use '-d' option for more detailed output
- Use '-p' option to automatically upload data under VPR paste.ee account
- WARNING: while paste.ee uploads are unlisted, they are still publicly available
- List domain names after options to include their lookup in report"
-fi
-
-readonly PKG_VERSION='dev-test'
-readonly packageName='pbr'
-readonly serviceName="$packageName $PKG_VERSION"
-readonly serviceTrapSignals='exit SIGHUP SIGQUIT SIGKILL'
-readonly packageConfigFile="/etc/config/${packageName}"
-readonly packageLockFile="/var/run/${packageName}.lock"
-readonly nftTempFile="/var/run/${packageName}.nft"
-#readonly nftPermFile="/etc/nftables.d/table-post/30-pbr.nft"
-readonly dnsmasqFile="/var/dnsmasq.d/${packageName}"
-readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m'
-readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m'
-readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
-readonly __FAIL__='\033[0;31m[\xe2\x9c\x97]\033[0m'
-readonly _ERROR_='\033[0;31mERROR\033[0m'
-readonly _WARNING_='\033[0;33mWARNING\033[0m'
-readonly ip_full='/usr/libexec/ip-full'
-# shellcheck disable=SC2155
-readonly ip_bin="$(command -v ip)"
-readonly ipTablePrefix='pbr'
-# shellcheck disable=SC2155
-readonly iptables="$(command -v iptables)"
-# shellcheck disable=SC2155
-readonly ip6tables="$(command -v ip6tables)"
-# shellcheck disable=SC2155
-readonly ipset="$(command -v ipset)"
-readonly ipsPrefix='pbr'
-readonly iptPrefix='PBR'
-# shellcheck disable=SC2155
-readonly agh="$(command -v AdGuardHome)"
-readonly aghConfigFile='/etc/adguardhome.yaml'
-readonly aghIpsetFile="/var/run/${packageName}.adguardhome.ipsets"
-# shellcheck disable=SC2155
-readonly nft="$(command -v nft)"
-readonly nftTable="fw4"
-readonly nftPrefix='pbr'
-readonly chainsList='forward input output postrouting prerouting'
-
-# package config options
-boot_timeout=
-enabled=
-fw_mask=
-icmp_interface=
-ignored_interface=
-ipv6_enabled=
-nft_user_set_policy=
-nft_user_set_counter=
-procd_boot_delay=
-procd_reload_delay=
-resolver_set=
-rule_create_option=
-secure_reload=
-strict_enforcement=
-supported_interface=
-verbosity=
-wan_ip_rules_priority=
-wan_mark=
-
-# run-time
-gatewaySummary=
-errorSummary=
-warningSummary=
-wanIface4=
-wanIface6=
-ifaceMark=
-ifaceTableID=
-ifacePriority=
-ifacesAll=
-ifacesSupported=
-firewallWanZone=
-wanGW4=
-wanGW6=
-serviceStartTrigger=
-processPolicyError=
-processPolicyWarning=
-resolver_set_supported=
-nftPrevParam4=
-nftPrevParam6=
-
-get_text() {
- local r
- case "$1" in
- errorConfigValidation) r="Config ($packageConfigFile) validation failure!";;
- errorNoIpFull) r="ip-full binary cannot be found!";;
- errorNoIptables) r="iptables binary cannot be found!";;
- errorNoIpset) r="Resolver set support (${resolver_set}) requires ipset, but ipset binary cannot be found!";;
- errorNoNft) r="Resolver set support (${resolver_set}) requires nftables, but nft binary cannot be found!";;
- errorResolverNotSupported) r="Resolver set (${resolver_set}) is not supported on this system!";;
- errorServiceDisabled) r="The ${packageName} service is currently disabled!";;
- errorNoWanGateway) r="The ${serviceName} service failed to discover WAN gateway!";;
- errorIpsetNameTooLong) r="The ipset name '%s' is longer than allowed 31 characters!";;
- errorNftsetNameTooLong) r="The nft set name '%s' is longer than allowed 31 characters!";;
- errorUnexpectedExit) r="Unexpected exit or service termination: '%s'!";;
- errorPolicyNoSrcDest) r="Policy '%s' has no source/destination parameters!";;
- errorPolicyNoInterface) r="Policy '%s' has no assigned interface!";;
- errorPolicyUnknownInterface) r="Policy '%s' has an unknown interface!";;
- errorPolicyProcessCMD) r="'%s'!";;
- errorFailedSetup) r="Failed to set up '%s'!";;
- errorFailedReload) r="Failed to reload '%s'!";;
- errorUserFileNotFound) r="Custom user file '%s' not found or empty!";;
- errorUserFileSyntax) r="Syntax error in custom user file '%s'!";;
- errorUserFileRunning) r="Error running custom user file '%s'!";;
- errorUserFileNoCurl) r="Use of 'curl' is detected in custom user file '%s', but 'curl' isn't installed!";;
- errorNoGateways) r="Failed to set up any gateway!";;
- errorResolver) r="Resolver '%s'!";;
- errorPolicyProcessNoIpv6) r="Skipping IPv6 policy '%s' as IPv6 support is disabled!";;
- errorPolicyProcessUnknownFwmark) r="Unknown packet mark for interface '%s'!";;
- errorPolicyProcessMismatchFamily) r="Mismatched IP family between in policy '%s'!";;
- errorPolicyProcessUnknownProtocol) r="Unknown protocol in policy '%s'!";;
- errorPolicyProcessInsertionFailed) r="Insertion failed for both IPv4 and IPv6 for policy '%s'!";;
- errorPolicyProcessInsertionFailedIpv4) r="Insertion failed for IPv4 for policy '%s'!";;
- errorInterfaceRoutingEmptyValues) r="Received empty tid/mark or interface name when setting up routing!";;
- errorFailedToResolve) r="Failed to resolve '%s'!";;
- warningInvalidOVPNConfig) r="Invalid OpenVPN config for '%s' interface.";;
- warningResolverNotSupported) r="Resolver set (${resolver_set}) is not supported on this system.";;
- warningAGHVersionTooLow) r="Installed AdGuardHome ('%s') doesn't support 'ipset_file' option.";;
- warningPolicyProcessCMD) r="'%s'";;
- warningTorUnsetParams) r="Please unset 'src_addr', 'src_port' and 'dest_port' for policy '%s'.";;
- warningTorUnsetProto) r="Please unset 'proto' or set 'proto' to 'all' for policy '%s'.";;
- warningTorUnsetChainIpt) r="Please unset 'chain' or set 'chain' to 'PREROUTING' for policy '%s'.";;
- warningTorUnsetChainNft) r="Please unset 'chain' or set 'chain' to 'prerouting' for policy '%s'.";;
- warningOutdatedWebUIApp) r="The WebUI application is outdated (version %s), please update it.";;
- esac
- echo "$r"
-}
-
-version() { echo "$PKG_VERSION"; }
-output_ok() { output 1 "$_OK_"; output 2 "$__OK__\\n"; }
-output_okn() { output 1 "$_OK_\\n"; output 2 "$__OK__\\n"; }
-output_fail() { s=1; output 1 "$_FAIL_"; output 2 "$__FAIL__\\n"; }
-output_failn() { output 1 "$_FAIL_\\n"; output 2 "$__FAIL__\\n"; }
-# shellcheck disable=SC2317
-str_replace() { printf "%b" "$1" | sed -e "s/$(printf "%b" "$2")/$(printf "%b" "$3")/g"; }
-str_replace() { echo "${1//$2/$3}"; }
-str_contains() { [ -n "$1" ] && [ -n "$2" ] && [ "${1//$2}" != "$1" ]; }
-is_greater() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" != "$1"; }
-is_greater_or_equal() { test "$(printf '%s\n' "$@" | sort -V | head -n 1)" = "$2"; }
-str_contains_word() { echo "$1" | grep -q -w "$2"; }
-str_to_lower() { echo "$1" | tr 'A-Z' 'a-z'; }
-str_to_upper() { echo "$1" | tr 'a-z' 'A-Z'; }
-str_extras_to_underscore() { echo "$1" | tr '[\. ~`!@#$%^&*()\+/,<>?//;:]' '_'; }
-str_extras_to_space() { echo "$1" | tr ';{}' ' '; }
-debug() { local i j; for i in "$@"; do eval "j=\$$i"; echo "${i}: ${j} "; done; }
-output() {
-# Can take a single parameter (text) to be output at any verbosity
-# Or target verbosity level and text to be output at specifc verbosity
- local msg memmsg logmsg
- local sharedMemoryOutput="/dev/shm/$packageName-output"
- verbosity="${verbosity:-2}"
- if [ "$#" -ne 1 ]; then
- if [ $((verbosity & $1)) -gt 0 ] || [ "$verbosity" = "$1" ]; then shift; else return 0; fi
- fi
- [ -t 1 ] && printf "%b" "$1"
- msg="${1//$serviceName /service }";
- if [ "$(printf "%b" "$msg" | wc -l)" -gt 0 ]; then
- [ -s "$sharedMemoryOutput" ] && memmsg="$(cat "$sharedMemoryOutput")"
- logmsg="$(printf "%b" "${memmsg}${msg}" | sed 's/\x1b\[[0-9;]*m//g')"
- logger -t "${packageName:-service}" "$(printf "%b" "$logmsg")"
- rm -f "$sharedMemoryOutput"
- else
- printf "%b" "$msg" >> "$sharedMemoryOutput"
- fi
-}
-is_present() { command -v "$1" >/dev/null 2>&1; }
-is_installed() { [ -s "/usr/lib/opkg/info/${1}.control" ]; }
-is_variant_installed() { [ "$(echo /usr/lib/opkg/info/"${1}"*.control)" != "/usr/lib/opkg/info/${1}*.control" ]; }
-is_nft() { [ -x "$nft" ] && ! str_contains "$resolver_set" 'ipset' && "$nft" list chains inet | grep -q "${nftPrefix}_prerouting"; }
-_find_firewall_wan_zone() { [ "$(uci -q get "firewall.${1}.name")" = "wan" ] && firewallWanZone="$1"; }
-_build_ifaces_all() { ifacesAll="${ifacesAll}${1} "; }
-_build_ifaces_supported() { is_supported_interface "$1" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${1} "; }
-pbr_find_iface() {
- local iface i param="$2"
- [ "$param" = 'wan6' ] || param='wan'
- "network_find_${param}" iface
- is_tunnel "$iface" && unset iface
- if [ -z "$iface" ]; then
- for i in $ifacesAll; do
- if "is_${param}" "$i"; then break; else unset i; fi
- done
- fi
- eval "$1"='${iface:-$i}'
-}
-pbr_get_gateway() {
- local iface="$2" dev="$3" gw
- network_get_gateway gw "$iface" true
- if [ -z "$gw" ] || [ "$gw" = '0.0.0.0' ]; then
-# gw="$(ubus call "network.interface.${iface}" status | jsonfilter -e "@.route[0].nexthop")"
- gw="$($ip_bin -4 a list dev "$dev" 2>/dev/null | grep inet | awk '{print $2}' | awk -F "/" '{print $1}')"
- fi
- eval "$1"='$gw'
-}
-pbr_get_gateway6() {
- local iface="$2" dev="$3" gw
- network_get_gateway6 gw "$iface" true
- if [ -z "$gw" ] || [ "$gw" = '::/0' ] || [ "$gw" = '::0/0' ] || [ "$gw" = '::' ]; then
- gw="$($ip_bin -6 a list dev "$dev" 2>/dev/null | grep inet6 | grep 'scope global' | awk '{print $2}')"
- fi
- eval "$1"='$gw'
-}
-is_dslite() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:6}" = "dslite" ]; }
-is_l2tp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "l2tp" ]; }
-is_oc() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:11}" = "openconnect" ]; }
-# is_ovpn() { local dev; network_get_device dev "$1"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; }
-is_ovpn() { local dev; dev="$(uci -q get "network.${1}.device")"; [ -z "$dev" ] && dev="$(uci -q get "network.${1}.dev")"; [ "${dev:0:3}" = "tun" ] || [ "${dev:0:3}" = "tap" ] || [ -f "/sys/devices/virtual/net/${dev}/tun_flags" ]; }
-is_valid_ovpn() { local dev_net dev_ovpn; dev_net="$(uci -q get "network.${1}.device")"; [ -z "$dev_net" ] && dev_net="$(uci -q get "network.${1}.dev")"; dev_ovpn="$(uci -q get "openvpn.${1}.dev")"; [ -n "$dev_net" ] && [ -n "$dev_ovpn" ] && [ "$dev_net" = "$dev_ovpn" ]; }
-is_pptp() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:4}" = "pptp" ]; }
-is_softether() { local dev; network_get_device dev "$1"; [ "${dev:0:4}" = "vpn_" ]; }
-is_tor() { [ "$(str_to_lower "$1")" = "tor" ]; }
-is_tor_running() {
- local ret=0
- if [ -s "/etc/tor/torrc" ]; then
- json_load "$(ubus call service list "{ 'name': 'tor' }")"
- json_select 'tor'; json_select 'instances'; json_select 'instance1';
- json_get_var ret 'running'; json_cleanup
- fi
- if [ "$ret" = "0" ]; then return 1; else return 0; fi
-}
-is_wg() { local proto; proto=$(uci -q get network."$1".proto); [ "${proto:0:9}" = "wireguard" ]; }
-is_tunnel() { is_dslite "$1" || is_l2tp "$1" || is_oc "$1" || is_ovpn "$1" || is_pptp "$1" || is_softether "$1" || is_tor "$1" || is_wg "$1"; }
-is_wan() { [ "$1" = "$wanIface4" ] || { [ "${1##wan}" != "$1" ] && [ "${1##wan6}" = "$1" ]; } || [ "${1%%wan}" != "$1" ]; }
-is_wan6() { [ -n "$wanIface6" ] && [ "$1" = "$wanIface6" ] || [ "${1/#wan6}" != "$1" ] || [ "${1/%wan6}" != "$1" ]; }
-is_ignored_interface() { str_contains_word "$ignored_interface" "$1"; }
-is_supported_interface() { str_contains_word "$supported_interface" "$1" || { ! is_ignored_interface "$1" && { is_wan "$1" || is_wan6 "$1" || is_tunnel "$1"; }; } || is_ignore_target "$1"; }
-is_ignore_target() { [ "$(str_to_lower "$1")" = 'ignore' ]; }
-is_mac_address() { expr "$1" : '[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]:[0-9a-fA-F][0-9a-fA-F]$' >/dev/null; }
-is_ipv4() { expr "$1" : '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*$' >/dev/null; }
-is_ipv6() { ! is_mac_address "$1" && str_contains "$1" ":"; }
-is_family_mismatch() { ( is_netmask "${1//!}" && is_ipv6 "${2//!}" ) || ( is_ipv6 "${1//!}" && is_netmask "${2//!}" ); }
-is_ipv6_link_local() { [ "${1:0:4}" = "fe80" ]; }
-is_ipv6_unique_local() { [ "${1:0:2}" = "fc" ] || [ "${1:0:2}" = "fd" ]; }
-is_ipv6_global() { [ "${1:0:4}" = "2001" ]; }
-# is_ipv6_global() { is_ipv6 "$1" && ! is_ipv6_link_local "$1" && ! is_ipv6_link_local "$1"; }
-is_list() { str_contains "$1" "," || str_contains "$1" " "; }
-is_netmask() { local ip="${1%/*}"; [ "$ip" != "$1" ] && is_ipv4 "$ip"; }
-is_domain() { ! is_ipv6 "$1" && str_contains "$1" '[a-zA-Z]'; }
-is_phys_dev() { [ "${1:0:1}" = "@" ] && ip l show | grep -E -q "^\\d+\\W+${1:1}"; }
-dnsmasq_kill() { killall -q -s HUP dnsmasq; }
-dnsmasq_restart() { output 3 'Restarting dnsmasq '; if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then output_okn; else output_failn; fi; }
-is_default_dev() { [ "$1" = "$($ip_bin -4 r | grep -m1 'dev' | grep -Eso 'dev [^ ]*' | awk '{print $2}')" ]; }
-is_supported_iface_dev() { local n dev; for n in $ifacesSupported; do network_get_device dev "$n"; [ "$1" = "$dev" ] && return 0; done; return 1; }
-is_supported_protocol() { grep -o '^[^#]*' /etc/protocols | grep -w -v '0' | grep . | awk '{print $1}' | grep -q "$1"; }
-is_service_running_iptables() { [ -x "$iptables" ] && "$iptables" -t mangle -L | grep -q "${iptPrefix}_PREROUTING" >/dev/null 2>&1; }
-is_service_running_nft() { [ -x "$nft" ] && [ -n "$(get_mark_nft_chains)" ]; }
-# atomic
-# is_service_running_nft() { [ -x "$nft" ] && [ -s "$nftPermFile" ]; }
-is_service_running() { if is_nft; then is_service_running_nft; else is_service_running_iptables; fi; }
-is_netifd_table() { local iface="$1"; [ "$(uci -q get "network.${iface}.ip4table")" = "${packageName}_${iface%6}" ]; }
-get_rt_tables_id() { local iface="$1"; grep "${ipTablePrefix}_${iface}\$" '/etc/iproute2/rt_tables' | awk '{print $1;}'; }
-get_rt_tables_next_id() { echo "$(($(sort -r -n '/etc/iproute2/rt_tables' | grep -o -E -m 1 "^[0-9]+")+1))"; }
-_check_config() { local en; config_get_bool en "$1" 'enabled' 1; [ "$en" -gt 0 ] && _cfg_enabled=0; }
-is_config_enabled() {
- local cfg="$1" _cfg_enabled=1
- [ -n "$1" ] || return 1
- config_load "$packageName"
- config_foreach _check_config "$cfg"
- return "$_cfg_enabled"
-}
-# shellcheck disable=SC2016
-resolveip_to_ipt() { resolveip "$@" | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d'; }
-resolveip_to_ipt4() { resolveip_to_ipt -4 "$@"; }
-resolveip_to_ipt6() { [ -n "$ipv6_enabled" ] && resolveip_to_ipt -6 "$@"; }
-# shellcheck disable=SC2016
-resolveip_to_nftset() { resolveip "$@" | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d' | tr '\n' ' '; }
-resolveip_to_nftset4() { resolveip_to_nftset -4 "$@"; }
-resolveip_to_nftset6() { [ -n "$ipv6_enabled" ] && resolveip_to_nftset -6 "$@"; }
-# shellcheck disable=SC2016
-ipv4_leases_to_nftset() { [ -s '/tmp/dhcp.leases' ] || return 1; grep "$1" '/tmp/dhcp.leases' | awk '{print $3}' | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d' | tr '\n' ' '; }
-# shellcheck disable=SC2016
-ipv6_leases_to_nftset() { [ -s '/tmp/hosts/odhcpd' ] || return 1; grep -v '^\#' '/tmp/hosts/odhcpd' | grep "$1" | awk '{print $1}' | sed -n 'H;${x;s/\n/,/g;s/^,//;p;};d' | tr '\n' ' '; }
-# shellcheck disable=SC3037
-ports_to_nftset() { echo -ne "$value"; }
-get_mark_ipt_chains() { [ -n "$(command -v iptables-save)" ] && iptables-save | grep ":${iptPrefix}_MARK_" | awk '{ print $1 }' | sed 's/://'; }
-get_mark_nft_chains() { [ -x "$nft" ] && "$nft" list table inet "$nftTable" 2>/dev/null | grep chain | grep "${nftPrefix}_mark_" | awk '{ print $2 }'; }
-get_ipsets() { [ -x "$(command -v ipset)" ] && ipset list | grep "${ipsPrefix}_" | awk '{ print $2 }'; }
-get_nft_sets() { [ -x "$nft" ] && "$nft" list table inet "$nftTable" 2>/dev/null | grep 'set' | grep "${nftPrefix}_" | awk '{ print $2 }'; }
-is_ipset_type_supported() { ipset help hash:"$1" >/dev/null 2>&1; }
-ubus_get_status() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.status.${1}"; }
-ubus_get_iface() { ubus call service list "{ 'name': '$packageName' }" | jsonfilter -e "@.${packageName}.instances.main.data.interfaces[@.name='${1}']${2:+.$2}"; }
-opkg_get_version() { grep -m1 -A1 "Package: $1$" '/usr/lib/opkg/status' | grep -m1 'Version: ' | sed 's|Version: \(.*\)|\1|'; }
-
-load_package_config() {
- config_load "$packageName"
- config_get boot_timeout 'config' 'boot_timeout' '30'
- config_get_bool enabled 'config' 'enabled' '0'
- config_get fw_mask 'config' 'fw_mask' 'ff0000'
- config_get icmp_interface 'config' 'icmp_interface'
- config_get ignored_interface 'config' 'ignored_interface'
- config_get_bool ipv6_enabled 'config' 'ipv6_enabled' '0'
- config_get nft_user_set_policy 'config' 'nft_user_set_policy' 'memory'
- config_get_bool nft_user_set_counter 'config' 'nft_user_set_counter' '0'
- config_get procd_boot_delay 'config' 'procd_boot_delay' '0'
- config_get resolver_set 'config' 'resolver_set'
- config_get rule_create_option 'config' 'rule_create_option' 'add'
- config_get_bool secure_reload 'config' 'secure_reload' '1'
- config_get_bool strict_enforcement 'config' 'strict_enforcement' '0'
- config_get supported_interface 'config' 'supported_interface'
- config_get verbosity 'config' 'verbosity' '2'
- config_get wan_ip_rules_priority 'config' 'wan_ip_rules_priority' '30000'
- config_get wan_mark 'config' 'wan_mark' '010000'
- fw_mask="0x${fw_mask}"
- wan_mark="0x${wan_mark}"
- [ -n "$ipv6_enabled" ] && [ "$ipv6_enabled" -eq 0 ] && unset ipv6_enabled
- . /lib/functions/network.sh
- . /usr/share/libubox/jshn.sh
- mkdir -p "${dnsmasqFile%/*}"
- if is_nft; then
- fw_maskXor="$(printf '%#x' "$((fw_mask ^ 0xffffffff))")"
- fw_maskXor="${fw_maskXor:-0xff00ffff}"
- if [ "$nft_user_set_counter" -eq '0' ]; then
- unset nft_user_set_counter
- fi
- else
- case $rule_create_option in
- insert|-i|-I) rule_create_option='-I';;
- add|-a|-A|*) rule_create_option='-A';;
- esac
- fi
-}
-
-load_environment() {
- local param="$1" validation_result="$2"
- load_package_config
- case "$param" in
- on_start)
- if [ -n "$validation_result" ] && [ "$validation_result" != '0' ]; then
- output "${_ERROR_}: The $packageName config validation failed!\\n"
- output "Please check if the '$packageConfigFile' contains correct values for config options.\\n"
- state add 'errorSummary' 'errorConfigValidation'
- return 1
- fi
- if [ "$enabled" -eq 0 ]; then
- state add 'errorSummary' 'errorServiceDisabled'
- return 1
- fi
- if [ ! -x "$ip_bin" ]; then
- state add 'errorSummary' 'errorNoIpFull'
- return 1
- fi
- if ! is_nft; then
- if [ -z "$iptables" ] || [ ! -x "$iptables" ]; then
- state add 'errorSummary' 'errorNoIptables'
- return 1
- fi
- fi
- rm -f "$packageLockFile"
- resolver 'check_support'
- ;;
- on_stop)
- touch "$packageLockFile"
- ;;
- esac
- load_network "$param"
-}
-
-load_network() {
- local i
- config_load 'network'
- [ -z "$ifacesAll" ] && config_foreach _build_ifaces_all 'interface'
- if [ -z "$ifacesSupported" ]; then
- config_load 'firewall'
- config_foreach _find_firewall_wan_zone 'zone'
- for i in $(uci -q get "firewall.${firewallWanZone}.network"); do
- is_supported_interface "$i" && ! str_contains "$ifacesSupported" "$1" && ifacesSupported="${ifacesSupported}${i} "
- done
- config_load 'network'
- config_foreach _build_ifaces_supported 'interface'
- fi
- pbr_find_iface wanIface4 'wan'
- [ -n "$ipv6_enabled" ] && pbr_find_iface wanIface6 'wan6'
- [ -n "$wanIface4" ] && network_get_gateway wanGW4 "$wanIface4"
- [ -n "$wanIface6" ] && network_get_gateway6 wanGW6 "$wanIface6"
- wanGW="${wanGW4:-$wanGW6}"
-}
-
-is_wan_up() {
- local sleepCount='1'
- load_network
- while [ -z "$wanGW" ] ; do
- load_network
- if [ $((sleepCount)) -gt $((boot_timeout)) ] || [ -n "$wanGW" ]; then break; fi
- output "$serviceName waiting for wan gateway...\\n"
- sleep 1
- network_flush_cache
- sleepCount=$((sleepCount+1))
- done
- if [ -n "$wanGW" ]; then
- return 0
- else
- state add 'errorSummary' 'errorNoWanGateway'
- return 1
- fi
-}
-
-# shellcheck disable=SC2086
-ipt4() {
- local d
- [ -x "$iptables" ] || return 1
- for d in "${*//-A/-D}" "${*//-I/-D}" "${*//-N/-F}" "${*//-N/-X}"; do
- [ "$d" != "$*" ] && "$iptables" $d >/dev/null 2>&1
- done
- d="$*"; "$iptables" $d >/dev/null 2>&1
-}
-
-# shellcheck disable=SC2086
-ipt6() {
- local d
- [ -n "$ipv6_enabled" ] || return 0
- [ -x "$ip6tables" ] || return 1
- for d in "${*//-A/-D}" "${*//-I/-D}" "${*//-N/-F}" "${*//-N/-X}"; do
- [ "$d" != "$*" ] && "$ip6tables" $d >/dev/null 2>&1
- done
- d="$*"
- "$ip6tables" $d >/dev/null 2>&1
-}
-
-# shellcheck disable=SC2086
-ipt() {
- local d failFlagIpv4=1 failFlagIpv6=1
- [ -x "$iptables" ] || return 1
- for d in "${*//-A/-D}" "${*//-I/-D}" "${*//-N/-F}" "${*//-N/-X}"; do
- if [ "$d" != "$*" ]; then
- "$iptables" $d >/dev/null 2>&1
- [ -x "$ip6tables" ] && "$ip6tables" $d >/dev/null 2>&1
- fi
- done
- d="$*"; "$iptables" $d >/dev/null 2>&1 && failFlagIpv4=0;
- if [ -n "$ipv6_enabled" ] && [ -x "$ip6tables" ]; then
- "$ip6tables" $d >/dev/null 2>&1 && failFlagIpv6=0
- fi
- [ "$failFlagIpv4" -eq 0 ] || [ "$failFlagIpv6" -eq 0 ]
-}
-
-# shellcheck disable=SC2086
-ips4() { [ -x "$ipset" ] && "$ipset" "$@" >/dev/null 2>&1; }
-ips6() { [ -x "$ipset" ] && { if [ -n "$ipv6_enabled" ] && [ -n "$*" ]; then "$ipset" "$@" >/dev/null 2>&1; else return 1; fi; }; }
-ips() {
- local command="$1" iface="$2" target="${3:-dst}" type="${4:-ip}" uid="$5" comment="$6" param="$7" mark="$7"
- local ipset4 ipset6 i
- local ipv4_error=1 ipv6_error=1
- ipset4="${ipsPrefix}${iface:+_$iface}_4${target:+_$target}${type:+_$type}${uid:+_$uid}"
- ipset6="${ipsPrefix}${iface:+_$iface}_6${target:+_$target}${type:+_$type}${uid:+_$uid}"
-
- [ -x "$ipset" ] || return 1
-
- if [ "${#ipset4}" -gt 31 ]; then
- state add 'errorSummary' 'errorIpsetNameTooLong' "$ipset4"
- return 1
- fi
-
- case "$command" in
- add)
- ips4 -q -! add "$ipset4" ["$param"] comment "$comment" && ipv4_error=0
- ips6 -q -! add "$ipset6" ["$param"] comment "$comment" && ipv6_error=0
- ;;
- add_agh_element)
- [ -n "$ipv6_enabled" ] || unset ipset6
- echo "${param}/${ipset4}${ipset6:+,$ipset6}" >> "$aghIpsetFile" && ipv4_error=0
- ;;
- add_dnsmasq_element)
- [ -n "$ipv6_enabled" ] || unset ipset6
- echo "ipset=/${param}/${ipset4}${ipset6:+,$ipset6} # $comment" >> "$dnsmasqFile" && ipv4_error=0
- ;;
- create)
- ips4 -q -! create "$ipset4" "hash:$type" comment && ipv4_error=0
- ips6 -q -! create "$ipset6" "hash:$type" comment family inet6 && ipv6_error=0
- ;;
- create_agh_set)
- ips4 -q -! create "$ipset4" "hash:$type" comment && ipv4_error=0
- ips6 -q -! create "$ipset6" "hash:$type" comment family inet6 && ipv6_error=0
- ;;
- create_dnsmasq_set)
- ips4 -q -! create "$ipset4" "hash:$type" comment && ipv4_error=0
- ips6 -q -! create "$ipset6" "hash:$type" comment family inet6 && ipv6_error=0
- ;;
- create_user_set)
- case "$type" in
- ip|net)
- ips4 -q -! create "$ipset4" "hash:$type" comment && ipv4_error=0
- ips6 -q -! create "$ipset6" "hash:$type" comment family inet6 && ipv6_error=0
- case "$target" in
- dst)
- ipt4 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" dst -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0
- ipt6 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" dst -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0
- ;;
- src)
- ipt4 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0
- ipt6 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0
- ;;
- esac
- ;;
- mac)
- ips4 -q -! create "$ipset4" "hash:$type" comment && ipv4_error=0
- ips6 -q -! create "$ipset6" "hash:$type" comment family inet6 && ipv4_error=0
- ipt4 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0
- ipt6 -t mangle -A "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0
- ;;
- esac
- ;;
- delete|destroy)
- ips4 -q -! destroy "$ipset4" && ipv4_error=0
- ips6 -q -! destroy "$ipset6" && ipv6_error=0
- ;;
- delete_user_set)
- ips4 -q -! destroy "$ipset4" && ipv4_error=0
- ips6 -q -! destroy "$ipset6" family inet6 && ipv6_error=0
- case "$type" in
- ip|net)
- case "$target" in
- dst)
- ipt4 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" dst -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0
- ipt6 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" dst -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0
- ;;
- src)
- ipt4 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0
- ipt6 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0
- ;;
- esac
- ;;
- mac)
- ipt4 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset4" src -g "${iptPrefix}_MARK_${mark}" && ipv4_error=0
- ipt6 -t mangle -D "${iptPrefix}_PREROUTING" -m set --match-set "$ipset6" src -g "${iptPrefix}_MARK_${mark}" && ipv6_error=0
- ;;
- esac
- ;;
- flush|flush_user_set)
- ips4 -q -! flush "$ipset4" && ipv4_error=0
- ips6 -q -! flush "$ipset6" && ipv6_error=0
- ;;
- esac
- if [ "$ipv4_error" -eq '0' ] || [ "$ipv6_error" -eq '0' ]; then
- return 0
- else
- return 1
- fi
-}
-
-# atomic
-#nfta() { echo "$@" >> "$nftTempFile"; }
-#nfta4() { echo "$@" >> "$nftTempFile"; }
-#nfta6() { [ -z "$ipv6_enabled" ] || echo "$@" >> "$nftTempFile"; }
-#nft() { nfta "$@"; [ -x "$nft" ] && "$nft" "$@" >/dev/null 2>&1; }
-#nft4() { nfta "$@"; [ -x "$nft" ] && "$nft" "$@" >/dev/null 2>&1; }
-#nft6() { nfta "$@"; [ -n "$ipv6_enabled" ] || return 0; [ -x "$nft" ] && [ -n "$*" ] && "$nft" "$@" >/dev/null 2>&1; }
-nft() { [ -x "$nft" ] && "$nft" "$@" >/dev/null 2>&1; }
-nft4() { [ -x "$nft" ] && "$nft" "$@" >/dev/null 2>&1; }
-nft6() { [ -n "$ipv6_enabled" ] || return 0; [ -x "$nft" ] && [ -n "$*" ] && "$nft" "$@" >/dev/null 2>&1; }
-nftset() {
- local command="$1" iface="$2" target="${3:-dst}" type="${4:-ip}" uid="$5" comment="$6" param="$7" mark="$7"
- local nftset4 nftset6 i param4 param6
- local ipv4_error=1 ipv6_error=1
- nftset4="${nftPrefix}${iface:+_$iface}_4${target:+_$target}${type:+_$type}${uid:+_$uid}"
- nftset6="${nftPrefix}${iface:+_$iface}_6${target:+_$target}${type:+_$type}${uid:+_$uid}"
-
- [ -x "$nft" ] || return 1
-
- if [ "${#nftset4}" -gt 255 ]; then
- state add 'errorSummary' 'errorNftsetNameTooLong' "$nftset4"
- return 1
- fi
-
- case "$command" in
- add)
- if is_netmask "$param" || is_ipv4 "$param" || is_ipv6 "$param" \
- || is_mac_address "$param" || is_list "$param"; then
- nft4 add element inet "$nftTable" "$nftset4" "{ $param }" && ipv4_error=0
- nft6 add element inet "$nftTable" "$nftset6" "{ $param }" && ipv6_error=0
- else
- if [ "$target" = 'src' ]; then
- param4="$(ipv4_leases_to_nftset "$param")"
- param6="$(ipv6_leases_to_nftset "$param")"
- fi
- [ -z "$param4" ] && param4="$(resolveip_to_nftset4 "$param")"
- [ -z "$param6" ] && param6="$(resolveip_to_nftset6 "$param")"
- if [ -z "$param4" ] && [ -z "$param6" ]; then
- state add 'errorSummary' 'errorFailedToResolve' "$param"
- else
- nft4 add element inet "$nftTable" "$nftset4" "{ $param4 }" && ipv4_error=0
- nft6 add element inet "$nftTable" "$nftset6" "{ $param6 }" && ipv6_error=0
- fi
- fi
- ;;
- add_dnsmasq_element)
- [ -n "$ipv6_enabled" ] || unset nftset6
- echo "nftset=/${param}/4#inet#${nftTable}#${nftset4}${nftset6:+,6#inet#${nftTable}#$nftset6} # $comment" >> "$dnsmasqFile" && ipv4_error=0
- ;;
- create)
- case "$type" in
- ip|net)
- nft4 add set inet "$nftTable" "$nftset4" "{ type ipv4_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv4_error=0
- nft6 add set inet "$nftTable" "$nftset6" "{ type ipv6_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv6_error=0
- ;;
- mac)
- nft4 add set inet "$nftTable" "$nftset4" "{ type ether_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv4_error=0
- nft6 add set inet "$nftTable" "$nftset6" "{ type ether_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv6_error=0
- ;;
- esac
- ;;
- create_dnsmasq_set)
- nft4 add set inet "$nftTable" "$nftset4" "{ type ipv4_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv4_error=0
- nft6 add set inet "$nftTable" "$nftset6" "{ type ipv6_addr; counter; flags interval; auto-merge; comment \"$comment\"; }" && ipv6_error=0
- ;;
- create_user_set)
- case "$type" in
- ip|net)
- nft4 add set inet "$nftTable" "$nftset4" "{ type ipv4_addr; ${nft_user_set_counter:+counter;} flags interval; auto-merge; policy $nft_user_set_policy; comment \"$comment\"; }" && ipv4_error=0
- nft6 add set inet "$nftTable" "$nftset6" "{ type ipv6_addr; ${nft_user_set_counter:+counter;} flags interval; auto-merge; policy $nft_user_set_policy; comment \"$comment\"; }" && ipv6_error=0
- case "$target" in
- dst)
- nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0
- nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0
- ;;
- src)
- nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0
- nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0
- ;;
- esac
- ;;
- mac)
- nft4 add set inet "$nftTable" "$nftset4" "{ type ether_addr; ${nft_user_set_counter:+counter;} flags interval; auto-merge; policy $nft_user_set_policy; comment \"$comment\"; }" && ipv4_error=0
- nft6 add set inet "$nftTable" "$nftset6" "{ type ether_addr; ${nft_user_set_counter:+counter;} flags interval; auto-merge; policy $nft_user_set_policy; comment \"$comment\"; }" && ipv6_error=0
- nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0
- nft add rule inet "$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0
- ;;
- esac
- ;;
- delete|destroy)
- nft delete set inet "$nftTable" "$nftset4" && ipv4_error=0
- nft delete set inet "$nftTable" "$nftset6" && ipv6_error=0
- ;;
- delete_user_set)
- nft delete set inet "$nftTable" "$nftset4" && ipv4_error=0
- nft delete set inet "$nftTable" "$nftset6" && ipv6_error=0
- case "$type" in
- ip|net)
- case "$target" in
- dst)
- nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0
- nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ip daddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0
- ;;
- src)
- nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0
- nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ip saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0
- ;;
- esac
- ;;
- mac)
- nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset4}" goto "${nftPrefix}_mark_${mark}" && ipv4_error=0
- nft delete rule inet "$nftTable" "${nftPrefix}_prerouting" ether saddr "@${nftset6}" goto "${nftPrefix}_mark_${mark}" && ipv6_error=0
- ;;
- esac
- ;;
- flush|flush_user_set)
- nft flush set inet "$nftTable" "$nftset4" && ipv4_error=0
- nft flush set inet "$nftTable" "$nftset6" && ipv6_error=0
- ;;
- esac
-# nft6 returns true if IPv6 support is not enabled
- [ -z "$ipv6_enabled" ] && ipv6_error='1'
- if [ "$ipv4_error" -eq '0' ] || [ "$ipv6_error" -eq '0' ]; then
- return 0
- else
- return 1
- fi
-}
-
-cleanup_rt_tables() { sed -i '/pbr_/d' '/etc/iproute2/rt_tables'; sync; }
-cleanup_dnsmasq() { [ -s "$dnsmasqFile" ] && resolverStoredHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')" && rm "$dnsmasqFile" >/dev/null 2>&1; }
-
-cleanup_main_chains() {
- local i
- for i in $chainsList; do
- i="$(str_to_lower "$i")"
- nft flush chain inet "$nftTable" "${nftPrefix}_${i}"
- done
- for i in $chainsList; do
- i="$(str_to_upper "$i")"
- ipt -t mangle -D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}"
- ipt -t mangle -F "${iptPrefix}_${i}"
- ipt -t mangle -X "${iptPrefix}_${i}"
- done
-}
-
-cleanup_marking_chains() {
- local i
- for i in $(get_mark_nft_chains); do
- nft flush chain inet "$nftTable" "$i"
- nft delete chain inet "$nftTable" "$i"
- done
- for i in $(get_mark_ipt_chains); do
- ipt -t mangle -F "$i"
- ipt -t mangle -X "$i"
- done
-}
-
-cleanup_sets() {
- local i
- for i in $(get_nft_sets); do
- nft flush set inet "$nftTable" "$i"
- nft delete set inet "$nftTable" "$i"
- done
- for i in $(get_ipsets); do
- ipset -q -! flush "$i" >/dev/null 2>&1
- ipset -q -! destroy "$i" >/dev/null 2>&1
- done
-}
-
-state() {
- local action="$1" param="$2" value="${3//#/_}"
- shift 3
-# shellcheck disable=SC2124
- local extras="$@"
- local line error_id error_extra label
- case "$action" in
- add)
- line="$(eval echo "\$$param")"
- eval "$param"='${line:+$line#}${value}${extras:+ $extras}'
- ;;
- json)
- json_init
- json_add_object "$packageName"
- case "$param" in
- errorSummary)
- json_add_array 'errors';;
- warningSummary)
- json_add_array 'warnings';;
- esac
- if [ -n "$(eval echo "\$$param")" ]; then
- while read -r line; do
- if str_contains "$line" ' '; then
- error_id="${line% *}"
- error_extra="${line#* }"
- else
- error_id="$line"
- fi
- json_add_object
- json_add_string 'id' "$error_id"
- json_add_string 'extra' "$error_extra"
- json_close_object
- done <<EOF
-$(eval echo "\$$param" | tr \# \\n)
-EOF
- fi
- json_close_array
- json_close_object
- json_dump
- ;;
- print)
- [ -z "$(eval echo "\$$param")" ] && return 0
- case "$param" in
- errorSummary)
- label="${_ERROR_}:";;
- warningSummary)
- label="${_WARNING_}:";;
- esac
- while read -r line; do
- if str_contains "$line" ' '; then
- error_id="${line% *}"
- error_extra="${line#* }"
- printf "%b $(get_text "$error_id")\\n" "$label" "$error_extra"
- else
- error_id="$line"
- printf "%b $(get_text "$error_id")\\n" "$label"
- fi
- done <<EOF
-$(eval echo "\$$param" | tr \# \\n)
-EOF
- ;;
- set)
- eval "$param"='${value}${extras:+ $extras}'
- ;;
- esac
-}
-
-resolver() {
- local agh_version
- local param="$1"
- shift
-
- if [ "$param" = 'cleanup_all' ]; then
- sed -i "/ipset_file: ${aghIpsetFile}/d" "$aghConfigFile" >/dev/null 2>&1
- rm -f "$aghIpsetFile"
- rm -f "$dnsmasqFile"
- return 0
- fi
-
- case "$resolver_set" in
- ''|none)
- case "$param" in
- add_resolver_element) return 1;;
- create_resolver_set) return 1;;
- check_support) return 0;;
- cleanup) return 0;;
- configure) return 0;;
- init) return 0;;
- init_end) return 0;;
- kill) return 0;;
- reload) return 0;;
- restart) return 0;;
- compare_hash) return 0;;
- store_hash) return 0;;
- esac
- ;;
- adguardhome.ipset)
- case "$param" in
- add_resolver_element)
- [ -n "$resolver_set_supported" ] && ips 'add_agh_element' "$@";;
- create_resolver_set)
- [ -n "$resolver_set_supported" ] && ips 'create_agh_set' "$@";;
- check_support)
- if [ ! -x "$ipset" ]; then
- state add 'errorSummary' 'errorNoIpset'
- return 1
- fi
- if [ -n "$agh" ] && [ -s "$aghConfigFile" ]; then
- agh_version="$($agh --version | sed 's|AdGuard Home, version v\(.*\)|\1|' | sed 's|-.*||')"
- if is_greater_or_equal "$agh_version" '0.107.13'; then
- resolver_set_supported='true'
- return 0
- else
- state add 'warningSummary' 'warningAGHVersionTooLow' "$agh_version"
- return 1
- fi
- else
- state add 'warningSummary' 'warningResolverNotSupported'
- return 1
- fi
- ;;
- cleanup)
- [ -z "$resolver_set_supported" ] && return 0
- rm -f "$aghIpsetFile"
- sed -i "/ipset_file: ${aghIpsetFile}/d" "$aghConfigFile" >/dev/null 2>&1
- ;;
- configure)
- [ -z "$resolver_set_supported" ] && return 1
- mkdir -p "${aghIpsetFile%/*}"
- touch "$aghIpsetFile"
- sed -i '/ipset_file/d' "$aghConfigFile" >/dev/null 2>&1
- sed -i "/ ipset:/a \ \ ipset_file: $aghIpsetFile" "$aghConfigFile"
- ;;
- init) :;;
- init_end) :;;
- kill)
- [ -n "$resolver_set_supported" ] && [ -n "$agh" ] && killall -q -s HUP "$agh";;
- reload)
- [ -z "$resolver_set_supported" ] && return 1
- output 3 'Reloading adguardhome '
- if /etc/init.d/adguardhome reload >/dev/null 2>&1; then
- output_okn
- return 0
- else
- output_failn
- return 1
- fi
- ;;
- restart)
- [ -z "$resolver_set_supported" ] && return 1
- output 3 'Restarting adguardhome '
- if /etc/init.d/adguardhome restart >/dev/null 2>&1; then
- output_okn
- return 0
- else
- output_failn
- return 1
- fi
- ;;
- compare_hash)
- [ -z "$resolver_set_supported" ] && return 1
- local resolverNewHash
- if [ -s "$aghIpsetFile" ]; then
- resolverNewHash="$(md5sum $aghIpsetFile | awk '{ print $1; }')"
- fi
- [ "$resolverNewHash" != "$resolverStoredHash" ]
- ;;
- store_hash)
- [ -s "$aghIpsetFile" ] && resolverStoredHash="$(md5sum $aghIpsetFile | awk '{ print $1; }')";;
- esac
- ;;
- dnsmasq.ipset)
- case "$param" in
- add_resolver_element)
- [ -n "$resolver_set_supported" ] && ips 'add_dnsmasq_element' "$@";;
- create_resolver_set)
- [ -n "$resolver_set_supported" ] && ips 'create_dnsmasq_set' "$@";;
- check_support)
- if [ ! -x "$ipset" ]; then
- state add 'errorSummary' 'errorNoIpset'
- return 1
- fi
- if ! dnsmasq -v 2>/dev/null | grep -q 'no-ipset' && dnsmasq -v 2>/dev/null | grep -q 'ipset'; then
- resolver_set_supported='true'
- return 0
- else
- state add 'warningSummary' 'warningResolverNotSupported'
- return 1
- fi
- ;;
- cleanup)
- [ -n "$resolver_set_supported" ] && rm -f "$dnsmasqFile";;
- configure)
- [ -n "$resolver_set_supported" ] && mkdir -p "${dnsmasqFile%/*}";;
- init) :;;
- init_end) :;;
- kill)
- [ -n "$resolver_set_supported" ] && killall -q -s HUP dnsmasq;;
- reload)
- [ -z "$resolver_set_supported" ] && return 1
- output 3 'Reloading dnsmasq '
- if /etc/init.d/dnsmasq reload >/dev/null 2>&1; then
- output_okn
- return 0
- else
- output_failn
- return 1
- fi
- ;;
- restart)
- [ -z "$resolver_set_supported" ] && return 1
- output 3 'Restarting dnsmasq '
- if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then
- output_okn
- return 0
- else
- output_failn
- return 1
- fi
- ;;
- compare_hash)
- [ -z "$resolver_set_supported" ] && return 1
- local resolverNewHash
- if [ -s "$dnsmasqFile" ]; then
- resolverNewHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')"
- fi
- [ "$resolverNewHash" != "$resolverStoredHash" ]
- ;;
- store_hash)
- [ -s "$dnsmasqFile" ] && resolverStoredHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')";;
- esac
- ;;
- dnsmasq.nftset)
- case "$param" in
- add_resolver_element)
- [ -n "$resolver_set_supported" ] && nftset 'add_dnsmasq_element' "$@";;
- create_resolver_set)
- [ -n "$resolver_set_supported" ] && nftset 'create_dnsmasq_set' "$@";;
- check_support)
- if [ ! -x "$nft" ]; then
- state add 'errorSummary' 'errorNoNft'
- return 1
- fi
- if ! dnsmasq -v 2>/dev/null | grep -q 'no-nftset' && dnsmasq -v 2>/dev/null | grep -q 'nftset'; then
- resolver_set_supported='true'
- return 0
- else
- state add 'warningSummary' 'warningResolverNotSupported'
- return 1
- fi
- ;;
- cleanup)
- [ -n "$resolver_set_supported" ] && rm -f "$dnsmasqFile";;
- configure)
- [ -n "$resolver_set_supported" ] && mkdir -p "${dnsmasqFile%/*}";;
- init) :;;
- init_end) :;;
- kill)
- [ -n "$resolver_set_supported" ] && killall -q -s HUP dnsmasq;;
- reload)
- [ -z "$resolver_set_supported" ] && return 1
- output 3 'Reloading dnsmasq '
- if /etc/init.d/dnsmasq reload >/dev/null 2>&1; then
- output_okn
- return 0
- else
- output_failn
- return 1
- fi
- ;;
- restart)
- [ -z "$resolver_set_supported" ] && return 1
- output 3 'Restarting dnsmasq '
- if /etc/init.d/dnsmasq restart >/dev/null 2>&1; then
- output_okn
- return 0
- else
- output_failn
- return 1
- fi
- ;;
- compare_hash)
- [ -z "$resolver_set_supported" ] && return 1
- local resolverNewHash
- if [ -s "$dnsmasqFile" ]; then
- resolverNewHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')"
- fi
- [ "$resolverNewHash" != "$resolverStoredHash" ]
- ;;
- store_hash)
- [ -s "$dnsmasqFile" ] && resolverStoredHash="$(md5sum $dnsmasqFile | awk '{ print $1; }')";;
- esac
- ;;
- unbound.ipset)
- case "$param" in
- add_resolver_element) :;;
- create_resolver_set) :;;
- check_support) :;;
- cleanup) :;;
- configure) :;;
- init) :;;
- init_end) :;;
- kill) :;;
- reload) :;;
- restart) :;;
- compare_hash) :;;
- store_hash) :;;
- esac
- ;;
- unbound.nftset)
- case "$param" in
- add_resolver_element) :;;
- create_resolver_set) :;;
- check_support) :;;
- cleanup) :;;
- configure) :;;
- init) :;;
- init_end) :;;
- kill) :;;
- reload) :;;
- restart) :;;
- compare_hash) :;;
- store_hash) :;;
- esac
- ;;
- esac
-}
-
-trap_process() {
- output "\\n"
- output "Unexpected exit or service termination: '${1}'!\\n"
- state add 'errorSummary' 'errorUnexpectedExit' "$1"
- traffic_killswitch 'remove'
-}
-
-traffic_killswitch() {
- local s=0
- case "$1" in
- insert)
- local lan_subnet wan_device
- [ "$secure_reload" -ne 0 ] || return 0
- for i in $serviceTrapSignals; do
-# shellcheck disable=SC2064
- trap "trap_process $i" "$i"
- done
- output 3 'Activating traffic killswitch '
- network_get_subnet lan_subnet 'lan'
- network_get_physdev wan_device 'wan'
- if is_nft; then
- nft add chain inet "$nftTable" "${nftPrefix}_killswitch" '{ type filter hook forward priority 0; policy accept; }' || s=1
- nft add rule inet "$nftTable" "${nftPrefix}_killswitch" oifname "$wan_device" ip saddr "$lan_subnet" counter reject || s=1
- else
- ipt -N "${iptPrefix}_KILLSWITCH" || s=1
- ipt -A "${iptPrefix}_KILLSWITCH" -s "$lan_subnet" -o "$wan_device" -j REJECT || s=1
- ipt -I FORWARD -j "${iptPrefix}_KILLSWITCH" || s=1
- fi
- if [ "$s" -eq 0 ]; then
- output_okn
- else
- output_failn
- fi
- ;;
- remove)
- if [ "$secure_reload" -ne 0 ]; then
- output 3 'Deactivating traffic killswitch '
- fi
- if is_nft; then
- nft flush chain inet "$nftTable" "${nftPrefix}_killswitch" || s=1
- nft delete chain inet "$nftTable" "${nftPrefix}_killswitch" || s=1
- else
- ipt -D FORWARD -j "${iptPrefix}_KILLSWITCH" || s=1
- ipt -F "${iptPrefix}_KILLSWITCH" || s=1
- ipt -X "${iptPrefix}_KILLSWITCH" || s=1
- fi
- if [ "$secure_reload" -ne 0 ]; then
- if [ "$s" -eq 0 ]; then
- output_okn
- else
- output_failn
- fi
- fi
-# shellcheck disable=SC2086
- trap - $serviceTrapSignals
- ;;
- esac
-}
-
-policy_routing_tor() { if is_nft; then policy_routing_tor_nft "$@"; else policy_routing_tor_iptables "$@"; fi; }
-policy_routing_tor_iptables() {
- local comment="$1" iface="$2" src_addr="$3" src_port="$4" dest_addr="$5" dest_port="$6" proto chain uid="$9"
- proto="$(str_to_lower "$7")"
- chain="$(str_to_upper "$8")"
- chain="${chain:-PREROUTING}"
- if [ -n "${src_addr}${src_port}${dest_port}" ]; then
- state add 'warningSummary' 'warningTorUnsetParams' "$comment"
- fi
- if [ -n "$proto" ] && [ "$proto" != "all" ]; then
- state add 'warningSummary' 'warningTorUnsetProto' "$comment"
- fi
- if [ "$chain" != "PREROUTING" ]; then
- state add 'warningSummary' 'warningTorUnsetChainIpt' "$comment"
- fi
- if ! resolver 'add_resolver_element' "$iface" 'dst' 'ip' '' "${comment}: $dest_addr" "$dest_addr"; then
- processPolicyError='true'
- state add 'errorSummary' 'errorResolver' "'add_resolver_element' '$iface' 'dst' 'ip' '${comment}: $dest_addr' '$dest_addr'"
- return 1
- fi
- return 0
-}
-policy_routing_tor_nft() {
- local comment="$1" iface="$2" src_addr="$3" src_port="$4" dest_addr="$5" dest_port="$6" proto chain uid="$9"
- proto="$(str_to_lower "$7")"
- chain="$(str_to_lower "$8")"
- chain="${chain:-prerouting}"
- if [ -n "${src_addr}${src_port}${dest_port}" ]; then
- state add 'warningSummary' 'warningTorUnsetParams' "$comment"
- fi
- if [ -n "$proto" ] && [ "$proto" != "all" ]; then
- state add 'warningSummary' 'warningTorUnsetProto' "$comment"
- fi
- if [ "$chain" != "prerouting" ]; then
- state add 'warningSummary' 'warningTorUnsetChainNft' "$comment"
- fi
- if ! resolver 'add_resolver_element' "$iface" 'dst' 'ip' '' "${comment}: $dest_addr" "$dest_addr"; then
- processPolicyError='true'
- state add 'errorSummary' 'errorResolver' "'add_resolver_element' '$iface' 'dst' 'ip' '${comment}: $dest_addr' '$dest_addr'"
- return 1
- fi
- return 0
-}
-
-policy_routing() { if is_nft; then policy_routing_nft "$@"; else policy_routing_iptables "$@"; fi; }
-policy_routing_iptables() {
- local mark param4 param6 i negation value dest ipInsertOption="-A"
- local ip4error='1' ip6error='1'
- local name="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto chain uid="$9"
- proto="$(str_to_lower "$7")"
- chain="$(str_to_upper "$8")"
- chain="${chain:-PREROUTING}"
- mark=$(eval echo "\$mark_${iface//-/_}")
-
- if [ -n "$ipv6_enabled" ] && { is_ipv6 "$laddr" || is_ipv6 "$raddr"; }; then
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessNoIpv6' "$name"
- return 1
- fi
-
- if [ -n "$mark" ]; then
- dest="-g ${iptPrefix}_MARK_${mark}"
- elif [ "$iface" = "ignore" ]; then
- dest="-j RETURN"
- else
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessUnknownFwmark' "$iface"
- return 1
- fi
-
- if is_family_mismatch "$laddr" "$raddr"; then
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessMismatchFamily' "${name}: '$laddr' '$raddr'"
- return 1
- fi
-
- if [ -z "$proto" ]; then
- if [ -n "${lport}${rport}" ]; then
- proto='tcp udp'
- else
- proto='all'
- fi
- fi
-
- for i in $proto; do
- if [ "$i" = 'all' ]; then
- param4="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest"
- param6="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest"
- elif ! is_supported_protocol "$i"; then
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessUnknownProtocol' "${name}: '$i'"
- return 1
- else
- param4="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest -p $i"
- param6="-t mangle ${ipInsertOption} ${iptPrefix}_${chain} $dest -p $i"
- fi
-
- if [ -n "$laddr" ]; then
- if [ "${laddr:0:1}" = "!" ]; then
- negation='!'; value="${laddr:1}"
- else
- unset negation; value="$laddr";
- fi
- if is_phys_dev "$value"; then
- param4="$param4 $negation -m physdev --physdev-in ${value:1}"
- param6="$param6 $negation -m physdev --physdev-in ${value:1}"
- elif is_netmask "$value"; then
- local target='src' type='net'
- if ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $laddr" && \
- ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $laddr" "$value"; then
- param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
- param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
- else
- param4="$param4 $negation -s $value"
- param6="$param6 $negation -s $value"
- fi
- elif is_mac_address "$value"; then
- local target='src' type='mac'
- if ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $laddr" && \
- ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $laddr" "$value"; then
- param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
- param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
- else
- param4="$param4 -m mac $negation --mac-source $value"
- param6="$param6 -m mac $negation --mac-source $value"
- fi
- else
- local target='src' type='ip'
- if ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $laddr" && \
- ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $laddr" "$value"; then
- param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
- param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
- else
- local resolvedIP4 resolvedIP6
- resolvedIP4="$(resolveip_to_ipt4 "$value")"
- resolvedIP6="$(resolveip_to_ipt6 "$value")"
- if [ -z "$resolvedIP4" ] && [ -z "$resolvedIP6" ]; then
- state add 'errorSummary' 'errorFailedToResolve' "$value"
- fi
- param4="$param4 $negation -s $resolvedIP4"
- param6="$param6 $negation -s $resolvedIP6"
- fi
- fi
- fi
-
- if [ -n "$lport" ]; then
- if [ "${lport:0:1}" = "!" ]; then
- negation='!'; value="${lport:1}"
- else
- unset negation; value="$lport";
- fi
- param4="$param4 -m multiport $negation --sport ${value//-/:}"
- param6="$param6 -m multiport $negation --sport ${value//-/:}"
- fi
-
- if [ -n "$raddr" ]; then
- if [ "${raddr:0:1}" = "!" ]; then
- negation='!'; value="${raddr:1}"
- else
- unset negation; value="$raddr";
- fi
- if is_netmask "$value"; then
- local target='dst' type='net'
- if ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \
- ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then
- param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
- param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
- else
- param4="$param4 $negation -d $value"
- param6="$param6 $negation -d $value"
- fi
- elif is_domain "$value"; then
- local target='dst' type='ip'
- if resolver 'create_resolver_set' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \
- resolver 'add_resolver_element' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then
- param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
- param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
- elif ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \
- ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then
- param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
- param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
- else
- local resolvedIP4 resolvedIP6
- resolvedIP4="$(resolveip_to_ipt4 "$value")"
- resolvedIP6="$(resolveip_to_ipt6 "$value")"
- if [ -z "$resolvedIP4" ] && [ -z "$resolvedIP6" ]; then
- state add 'errorSummary' 'errorFailedToResolve' "$value"
- fi
- param4="$param4 $negation -d $resolvedIP4"
- param6="$param6 $negation -d $resolvedIP6"
- fi
- else
- local target='dst' type='ip'
- if ips 'create' "$iface" "$target" "$type" "$uid" "${name}: $raddr" && \
- ips 'add' "$iface" "$target" "$type" "$uid" "${name}: $raddr" "$value"; then
- param4="$param4 -m set $negation --match-set ${ipsPrefix}_${iface}_4_${target}_${type}_${uid} $target"
- param6="$param6 -m set $negation --match-set ${ipsPrefix}_${iface}_6_${target}_${type}_${uid} $target"
- else
- param4="$param4 $negation -d $value"
- param6="$param6 $negation -d $value"
- fi
- fi
- fi
-
- if [ -n "$rport" ]; then
- if [ "${rport:0:1}" = "!" ]; then
- negation='!'; value="${rport:1}"
- else
- unset negation; value="$rport";
- fi
- param4="$param4 -m multiport $negation --dport ${value//-/:}"
- param6="$param6 -m multiport $negation --dport ${value//-/:}"
- fi
-
- if [ -n "$name" ]; then
- param4="$param4 -m comment --comment $(str_extras_to_underscore "$name")"
- param6="$param6 -m comment --comment $(str_extras_to_underscore "$name")"
- fi
-
- local ipv4_error='0' ipv6_error='0'
- if [ "$param4" = "$param6" ]; then
- ipt4 "$param4" || ipv4_error='1'
- else
- ipt4 "$param4" || ipv4_error='1'
- ipt6 "$param6" || ipv6_error='1'
- fi
-
- if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name"
- state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4"
- state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param6"
- logger -t "$packageName" "ERROR: iptables $param4"
- logger -t "$packageName" "ERROR: iptables $param6"
- elif [ -z "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ]; then
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name"
- state add 'errorSummary' 'errorPolicyProcessCMD' "iptables $param4"
- logger -t "$packageName" "ERROR: iptables $param4"
- fi
-
- done
-}
-policy_routing_nft() {
- local mark i nftInsertOption='add'
- local param4 param6 proto_i negation value dest
- local ip4Flag='ip' ip6Flag='ip6'
- local name="$1" iface="$2" laddr="$3" lport="$4" raddr="$5" rport="$6" proto chain uid="$9"
- proto="$(str_to_lower "$7")"
- chain="$(str_to_lower "$8")"
- chain="${chain:-prerouting}"
- mark=$(eval echo "\$mark_${iface//-/_}")
-
- if [ -z "$ipv6_enabled" ] && { is_ipv6 "$src_addr" || is_ipv6 "$dest_addr"; }; then
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessNoIpv6' "$name"
- return 1
- fi
-
- if [ -n "$mark" ]; then
- dest="goto ${nftPrefix}_mark_${mark}"
- elif [ "$iface" = "ignore" ]; then
- dest="return"
- else
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessUnknownFwmark' "$iface"
- return 1
- fi
-
- if is_family_mismatch "$src_addr" "$dest_addr"; then
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessMismatchFamily' "${name}: '$laddr' '$raddr'"
- return 1
- fi
-
- if [ -z "$proto" ]; then
- if [ -n "${src_port}${dest_port}" ]; then
- proto='tcp udp'
- else
- proto='all'
- fi
- fi
-
- for proto_i in $proto; do
- unset param4
- unset param6
- if [ "$proto_i" = 'all' ]; then
- unset proto_i
- elif ! is_supported_protocol "$proto_i"; then
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessUnknownProtocol' "${name}: '$proto_i'"
- return 1
- fi
-
- if [ -n "$src_addr" ]; then
- if [ "${src_addr:0:1}" = "!" ]; then
- negation='!='; value="${src_addr:1}"
- else
- unset negation; value="$src_addr";
- fi
- if is_phys_dev "$value"; then
- param4="$param4 iifname $negation ${value:1}"
- param6="$param6 iifname $negation ${value:1}"
- elif is_mac_address "$value"; then
- local target='src' type='mac'
- if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \
- nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then
- param4="$param4 ether saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}"
- param6="$param6 ether saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}"
- else
- param4="$param4 ether saddr $negation $value"
- param6="$param6 ether saddr $negation $value"
- fi
- else
- local target='src' type='ip'
- if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \
- nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then
- param4="$param4 $ip4Flag saddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}"
- param6="$param6 $ip6Flag saddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}"
- else
- param4="$param4 $ip4Flag saddr $negation $value"
- param6="$param6 $ip6Flag saddr $negation $value"
- fi
- fi
- fi
-
- if [ -n "$dest_addr" ]; then
- if [ "${dest_addr:0:1}" = "!" ]; then
- negation='!='; value="${dest_addr:1}"
- else
- unset negation; value="$dest_addr";
- fi
- if is_phys_dev "$value"; then
- param4="$param4 oifname $negation ${value:1}"
- param6="$param6 oifname $negation ${value:1}"
- elif is_domain "$value"; then
- local target='dst' type='ip'
- if resolver 'create_resolver_set' "$iface" "$target" "$type" "$uid" "$name" && \
- resolver 'add_resolver_element' "$iface" "$target" "$type" "$uid" "$name" "$value"; then
- param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}"
- param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}"
- elif nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \
- nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then
- param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}"
- param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}"
- else
- local resolvedIP4 resolvedIP6
- resolvedIP4="$(resolveip_to_nftset4 "$value")"
- resolvedIP6="$(resolveip_to_nftset6 "$value")"
- if [ -z "$resolvedIP4" ] && [ -z "$resolvedIP6" ]; then
- state add 'errorSummary' 'errorFailedToResolve' "$value"
- fi
- param4="$param4 $ip4Flag daddr $negation { $resolvedIP4 }"
- param6="$param6 $ip6Flag daddr $negation { $resolvedIP6 }"
- fi
- else
- local target='dst' type='ip'
- if nftset 'create' "$iface" "$target" "$type" "$uid" "$name" && \
- nftset 'add' "$iface" "$target" "$type" "$uid" "$name" "$value"; then
- param4="$param4 $ip4Flag daddr $negation @${nftPrefix}_${iface}_4_${target}_${type}_${uid}"
- param6="$param6 $ip6Flag daddr $negation @${nftPrefix}_${iface}_6_${target}_${type}_${uid}"
- else
- param4="$param4 $ip4Flag daddr $negation $value"
- param6="$param6 $ip6Flag daddr $negation $value"
- fi
- fi
- fi
-
- if [ -n "$src_port" ]; then
- if [ "${src_port:0:1}" = "!" ]; then
- negation='!='; value="${src_port:1}"
- else
- unset negation; value="$src_port";
- fi
- param4="$param4 ${proto_i:+$proto_i }sport $negation {$(ports_to_nftset "$value")}"
- param6="$param6 ${proto_i:+$proto_i }sport $negation {$(ports_to_nftset "$value")}"
- fi
-
- if [ -n "$dest_port" ]; then
- if [ "${dest_port:0:1}" = "!" ]; then
- negation='!='; value="${dest_port:1}"
- else
- unset negation; value="$dest_port";
- fi
- param4="$param4 ${proto_i:+$proto_i }dport $negation {$(ports_to_nftset "$value")}"
- param6="$param6 ${proto_i:+$proto_i }dport $negation {$(ports_to_nftset "$value")}"
- fi
-
- param4="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param4 $dest comment \"$name\""
- param6="$nftInsertOption rule inet $nftTable ${nftPrefix}_${chain} $param6 $dest comment \"$name\""
-
- local ipv4_error='0' ipv6_error='0'
- if [ "$nftPrevParam4" != "$param4" ]; then
- nft4 "$param4" || ipv4_error='1'
- nftPrevParam4="$param4"
- fi
- if [ "$nftPrevParam6" != "$param6" ]; then
- nft6 "$param6" || ipv6_error='1'
- nftPrevParam6="$param6"
- fi
-
- if [ -n "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ] && [ "$ipv6_error" -eq '1' ]; then
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessInsertionFailed' "$name"
- state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param4"
- state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param6"
- logger -t "$packageName" "ERROR: nft $param4"
- logger -t "$packageName" "ERROR: nft $param6"
- elif [ -z "$ipv6_enabled" ] && [ "$ipv4_error" -eq '1' ]; then
- processPolicyError='true'
- state add 'errorSummary' 'errorPolicyProcessInsertionFailedIpv4' "$name"
- state add 'errorSummary' 'errorPolicyProcessCMD' "nft $param4"
- logger -t "$packageName" "ERROR: nft $param4"
- fi
-
- done
-}
-
-policy_process() {
- local i j uid="$9"
- if [ -z "$uid" ]; then # first non-recursive call
- [ "$enabled" -gt 0 ] || return 0
- unset processPolicyError
- uid="$1"
- if is_nft; then
- chain="$(str_to_lower "$chain")"
- else
- chain="$(str_to_upper "$chain")"
- fi
- proto="$(str_to_lower "$proto")"
- [ "$proto" = 'auto' ] && unset proto
- [ "$proto" = 'all' ] && unset proto
- output 2 "Routing '$name' via $interface "
- if [ -z "${src_addr}${src_port}${dest_addr}${dest_port}" ]; then
- state add 'errorSummary' 'errorPolicyNoSrcDest' "$name"
- output_fail; return 1;
- fi
- if [ -z "$interface" ]; then
- state add 'errorSummary' 'errorPolicyNoInterface' "$name"
- output_fail; return 1;
- fi
- if ! is_supported_interface "$interface"; then
- state add 'errorSummary' 'errorPolicyUnknownInterface' "$name"
- output_fail; return 1;
- fi
- src_port="${src_port// / }"; src_port="${src_port// /,}"; src_port="${src_port//,\!/ !}";
- dest_port="${dest_port// / }"; dest_port="${dest_port// /,}"; dest_port="${dest_port//,\!/ !}";
-# if is_nft; then
-# nftset 'flush' "$interface" "dst" "ip" "$uid"
-# nftset 'flush' "$interface" "src" "ip" "$uid"
-# nftset 'flush' "$interface" "src" "mac" "$uid"
-# else
-# ips 'flush' "$interface" "dst" "ip" "$uid"
-# ips 'flush' "$interface" "src" "ip" "$uid"
-# ips 'flush' "$interface" "src" "mac" "$uid"
-# fi
- policy_process "$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"
- if [ -n "$processPolicyError" ]; then
- output_fail
- else
- output_ok
- fi
- else # recursive call, get options from passed variables
- local name="$1" interface="$2" src_addr="$3" src_port="$4" dest_addr="$5" dest_port="$6" proto="$7" chain="$8"
- if str_contains "$src_addr" '[ ;\{\}]'; then
- for i in $(str_extras_to_space "$src_addr"); do [ -n "$i" ] && policy_process "$name" "$interface" "$i" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"; done
- elif str_contains "$src_port" '[ ;\{\}]'; then
- for i in $(str_extras_to_space "$src_port"); do [ -n "$i" ] && policy_process "$name" "$interface" "$src_addr" "$i" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"; done
- elif str_contains "$dest_addr" '[ ;\{\}]'; then
- for i in $(str_extras_to_space "$dest_addr"); do [ -n "$i" ] && policy_process "$name" "$interface" "$src_addr" "$src_port" "$i" "$dest_port" "$proto" "$chain" "$uid"; done
- elif str_contains "$dest_port" '[ ;\{\}]'; then
- for i in $(str_extras_to_space "$dest_port"); do [ -n "$i" ] && policy_process "$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$i" "$proto" "$chain" "$uid"; done
- elif str_contains "$proto" '[ ;\{\}]'; then
- for i in $(str_extras_to_space "$proto"); do [ -n "$i" ] && policy_process "$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$i" "$chain" "$uid"; done
- else
- if is_tor "$interface"; then
- policy_routing_tor "$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"
- else
- policy_routing "$name" "$interface" "$src_addr" "$src_port" "$dest_addr" "$dest_port" "$proto" "$chain" "$uid"
- fi
- fi
- fi
-}
-
-interface_process_tor() { if is_nft; then interface_process_tor_nft "$@"; else interface_process_tor_iptables "$@"; fi; }
-interface_process_tor_iptables() {
- local s=0 iface="$1" action="$2"
- local displayText set_name4 set_name6
- local dnsPort trafficPort
- case "$action" in
- reload)
- displayText="${iface}/53->${dnsPort}/80,443->${trafficPort}"
- gatewaySummary="${gatewaySummary}${displayText}\\n"
- ;;
- destroy)
- for i in $chainsList; do
- i="$(str_to_upper "$i")"
- ipt -t nat -D "${i}" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}"
- ipt -t nat -F "${iptPrefix}_${i}"; ipt -t nat -X "${iptPrefix}_${i}";
- done
- ;;
- create)
- output 2 "Creating TOR redirects "
- dnsPort="$(grep -m1 DNSPort /etc/tor/torrc | awk -F: '{print $2}')"
- trafficPort="$(grep -m1 TransPort /etc/tor/torrc | awk -F: '{print $2}')"
- dnsPort="${dnsPort:-9053}"; trafficPort="${trafficPort:-9040}";
- for i in $chainsList; do
- i="$(str_to_upper "$i")"
- ipt -t nat -N "${iptPrefix}_${i}"
- ipt -t nat -A "$i" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}"
- done
- if resolver 'create_resolver_set' "$iface" 'dst' 'ip' && ips 'flush' "$iface" 'dst' 'ip'; then
- set_name4="${ipsPrefix}_${iface}_4_dst_ip"
- for i in $chainsList; do
- i="$(str_to_upper "$i")"
- ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 53 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$dnsPort" -m comment --comment "TorDNS-UDP" || s=1
- ipt -t nat -I "${iptPrefix}_${i}" -p tcp -m tcp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-TCP" || s=1
- ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 80 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTP-UDP" || s=1
- ipt -t nat -I "${iptPrefix}_${i}" -p tcp -m tcp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-TCP" || s=1
- ipt -t nat -I "${iptPrefix}_${i}" -p udp -m udp --dport 443 -m set --match-set "${set_name4}" dst -j REDIRECT --to-ports "$trafficPort" -m comment --comment "TorHTTPS-UDP" || s=1
- done
- else
- s=1
- fi
- displayText="${iface}/53->${dnsPort}/80,443->${trafficPort}"
- if [ "$s" -eq 0 ]; then
- gatewaySummary="${gatewaySummary}${displayText}\\n"
- output_ok
- else
- state add 'errorSummary' 'errorFailedSetup' "$displayText"
- output_fail
- fi
- ;;
- esac
- return $s
-}
-interface_process_tor_nft() {
- local s=0 iface="$1" action="$2"
- local displayText set_name4 set_name6
- local dnsPort trafficPort
- case "$action" in
- reload)
- displayText="${iface}/53->${dnsPort}/80,443->${trafficPort}"
- gatewaySummary="${gatewaySummary}${displayText}\\n"
- ;;
- destroy)
- ;;
- create)
- output 2 "Creating TOR redirects "
- dnsPort="$(grep -m1 DNSPort /etc/tor/torrc | awk -F: '{print $2}')"
- trafficPort="$(grep -m1 TransPort /etc/tor/torrc | awk -F: '{print $2}')"
- dnsPort="${dnsPort:-9053}"; trafficPort="${trafficPort:-9040}";
- if resolver 'create_resolver_set' "$iface" 'dst' 'ip' && nftset 'flush' "$iface" 'dst' 'ip'; then
- set_name4="${nftPrefix}_${iface}_4_dst_ip"
- set_name6="${nftPrefix}_${iface}_6_dst_ip"
- nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv4" || s=1
- nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" tcp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv4" || s=1
- nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv4" || s=1
- nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" tcp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv4" || s=1
- nft add rule inet "$nftTable" dstnat meta nfproto ipv4 ip daddr "@${set_name4}" udp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv4" || s=1
- nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 53 counter redirect to :"$dnsPort" comment "Tor-DNS-UDP-ipv6" || s=1
- nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" tcp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-TCP-ipv6" || s=1
- nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 80 counter redirect to :"$trafficPort" comment "Tor-HTTP-UDP-ipv6" || s=1
- nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" tcp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-TCP-ipv6" || s=1
- nft6 add rule inet "$nftTable" dstnat meta nfproto ipv6 ip6 daddr "@${set_name6}" udp dport 443 counter redirect to :"$trafficPort" comment "Tor-HTTPS-UDP-ipv6" || s=1
- else
- s=1
- fi
- displayText="${iface}/53->${dnsPort}/80,443->${trafficPort}"
- if [ "$s" -eq 0 ]; then
- gatewaySummary="${gatewaySummary}${displayText}\\n"
- output_ok
- else
- state add 'errorSummary' 'errorFailedSetup' "$displayText"
- output_fail
- fi
- ;;
- esac
- return $s
-}
-
-interface_routing() {
- local action="$1" tid="$2" mark="$3" iface="$4" gw4="$5" dev="$6" gw6="$7" dev6="$8" priority="$9"
- local dscp s=0 i ipv4_error=1 ipv6_error=1
- if [ -z "$tid" ] || [ -z "$mark" ] || [ -z "$iface" ]; then
- state add 'errorSummary' 'errorInterfaceRoutingEmptyValues'
- return 1
- fi
- case "$action" in
- create)
- if is_netifd_table "$iface"; then
- ipv4_error=0
- $ip_bin rule del table "$tid" >/dev/null 2>&1
- $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
- if is_nft; then
- nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1
- nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1
- nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1
- else
- ipt -t mangle -N "${iptPrefix}_MARK_${mark}" || ipv4_error=1
- ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j MARK --set-xmark "${mark}/${fw_mask}" || ipv4_error=1
- ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j RETURN || ipv4_error=1
- fi
- if [ -n "$ipv6_enabled" ]; then
- ipv6_error=0
- $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
- fi
- else
- if ! grep -q "$tid ${ipTablePrefix}_${iface}" '/etc/iproute2/rt_tables'; then
- sed -i "/${ipTablePrefix}_${iface}/d" '/etc/iproute2/rt_tables'
- sync
- echo "$tid ${ipTablePrefix}_${iface}" >> '/etc/iproute2/rt_tables'
- sync
- fi
- $ip_bin rule del table "$tid" >/dev/null 2>&1
- $ip_bin route flush table "$tid" >/dev/null 2>&1
- if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then
- ipv4_error=0
- if [ -z "$gw4" ]; then
- $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
- else
- $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
- fi
-# shellcheck disable=SC2086
- while read -r i; do
- i="$(echo "$i" | sed 's/ linkdown$//')"
- i="$(echo "$i" | sed 's/ onlink$//')"
- idev="$(echo "$i" | grep -Eso 'dev [^ ]*' | awk '{print $2}')"
- if ! is_supported_iface_dev "$idev"; then
- $ip_bin -4 route add $i table "$tid" >/dev/null 2>&1 || ipv4_error=1
- fi
- done << EOF
- $($ip_bin -4 route list table main)
-EOF
- $ip_bin -4 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
- if is_nft; then
- nft add chain inet "$nftTable" "${nftPrefix}_mark_${mark}" || ipv4_error=1
- nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} counter mark set mark and ${fw_maskXor} xor ${mark}" || ipv4_error=1
- nft add rule inet "$nftTable" "${nftPrefix}_mark_${mark} return" || ipv4_error=1
- else
- ipt -t mangle -N "${iptPrefix}_MARK_${mark}" || ipv4_error=1
- ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j MARK --set-xmark "${mark}/${fw_mask}" || ipv4_error=1
- ipt -t mangle -A "${iptPrefix}_MARK_${mark}" -j RETURN || ipv4_error=1
- fi
- fi
- if [ -n "$ipv6_enabled" ]; then
- ipv6_error=0
- if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then
- if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then
- $ip_bin -6 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv6_error=1
- elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then
- while read -r i; do
- i="$(echo "$i" | sed 's/ linkdown$//')"
- i="$(echo "$i" | sed 's/ onlink$//')"
- # shellcheck disable=SC2086
- $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1
- done << EOF
- $($ip_bin -6 route list table main | grep " dev $dev6 ")
-EOF
- else
- $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
- $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
- fi
- fi
- $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" >/dev/null 2>&1 || ipv6_error=1
- fi
- fi
- if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then
- dscp="$(uci -q get "${packageName}".config."${iface}"_dscp)"
- if is_nft; then
- if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then
- nft add rule inet "$nftTable" "${nftPrefix}_prerouting ip dscp ${dscp} goto ${nftPrefix}_mark_${mark}" || s=1
- fi
- if [ "$iface" = "$icmp_interface" ]; then
- nft add rule inet "$nftTable" "${nftPrefix}_output ip protocol icmp goto ${nftPrefix}_mark_${mark}" || s=1
- fi
- else
- if [ "${dscp:-0}" -ge 1 ] && [ "${dscp:-0}" -le 63 ]; then
- ipt -t mangle -I "${iptPrefix}_PREROUTING" -m dscp --dscp "${dscp}" -g "${iptPrefix}_MARK_${mark}" || s=1
- fi
- if [ "$iface" = "$icmp_interface" ]; then
- ipt -t mangle -I "${iptPrefix}_OUTPUT" -p icmp -g "${iptPrefix}_MARK_${mark}" || s=1
- fi
- fi
- else
- s=1
- fi
- return "$s"
- ;;
- create_user_set)
- if is_nft; then
- nftset 'create_user_set' "$iface" 'dst' 'ip' 'user' '' "$mark" || s=1
- nftset 'create_user_set' "$iface" 'src' 'ip' 'user' '' "$mark" || s=1
- nftset 'create_user_set' "$iface" 'src' 'mac' 'user' '' "$mark" || s=1
- else
- ips 'create_user_set' "$iface" 'dst' 'ip' 'user' '' "$mark" || s=1
- ips 'create_user_set' "$iface" 'src' 'ip' 'user' '' "$mark" || s=1
- ips 'create_user_set' "$iface" 'dst' 'net' 'user' '' "$mark" || s=1
- ips 'create_user_set' "$iface" 'src' 'net' 'user' '' "$mark" || s=1
- ips 'create_user_set' "$iface" 'src' 'mac' 'user' '' "$mark" || s=1
- fi
- return "$s"
- ;;
- delete|destroy)
- $ip_bin rule del table "$tid" >/dev/null 2>&1
- if ! is_netifd_table "$iface"; then
- $ip_bin route flush table "$tid" >/dev/null 2>&1
- sed -i "/${ipTablePrefix}_${iface}\$/d" '/etc/iproute2/rt_tables'
- sync
- fi
- return "$s"
- ;;
- reload_interface)
- is_netifd_table "$iface" && return 0;
- ipv4_error=0
- $ip_bin rule del table "$tid" >/dev/null 2>&1
- if ! is_netifd_table "$iface"; then
- $ip_bin route flush table "$tid" >/dev/null 2>&1
- fi
- if [ -n "$gw4" ] || [ "$strict_enforcement" -ne 0 ]; then
- if [ -z "$gw4" ]; then
- $ip_bin -4 route add unreachable default table "$tid" >/dev/null 2>&1 || ipv4_error=1
- else
- $ip_bin -4 route add default via "$gw4" dev "$dev" table "$tid" >/dev/null 2>&1 || ipv4_error=1
- fi
- $ip_bin rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv4_error=1
- fi
- if [ -n "$ipv6_enabled" ]; then
- ipv6_error=0
- if { [ -n "$gw6" ] && [ "$gw6" != "::/0" ]; } || [ "$strict_enforcement" -ne 0 ]; then
- if [ -z "$gw6" ] || [ "$gw6" = "::/0" ]; then
- $ip_bin -6 route add unreachable default table "$tid" || ipv6_error=1
- elif $ip_bin -6 route list table main | grep -q " dev $dev6 "; then
- while read -r i; do
- # shellcheck disable=SC2086
- $ip_bin -6 route add $i table "$tid" >/dev/null 2>&1 || ipv6_error=1
- done << EOF
- $($ip_bin -6 route list table main | grep " dev $dev6 ")
-EOF
- else
- $ip_bin -6 route add "$($ip_bin -6 -o a show "$dev6" | awk '{print $4}')" dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
- $ip_bin -6 route add default dev "$dev6" table "$tid" >/dev/null 2>&1 || ipv6_error=1
- fi
- fi
- $ip_bin -6 rule add fwmark "${mark}/${fw_mask}" table "$tid" priority "$priority" || ipv6_error=1
- fi
- if [ "$ipv4_error" -eq 0 ] || [ "$ipv6_error" -eq 0 ]; then
- s=0
- else
- s=1
- fi
- return "$s"
- ;;
- esac
-}
-
-json_add_gateway() {
- local action="$1" tid="$2" mark="$3" iface="$4" gw4="$5" dev4="$6" gw6="$7" dev6="$8" priority="$9" default="${10}"
- json_add_object ''
- json_add_string name "$iface"
- json_add_string device_ipv4 "$dev4"
- json_add_string gateway_ipv4 "$gw4"
- json_add_string device_ipv6 "$dev6"
- json_add_string gateway_ipv6 "$gw6"
- if [ -n "$default" ]; then
- json_add_boolean default true
- else
- json_add_boolean default false
- fi
- json_add_string action "$action"
- json_add_string table_id "$tid"
- json_add_string mark "$mark"
- json_add_string priority "$priority"
- json_close_object
-}
-
-interface_process() {
- local gw4 gw6 dev dev6 s=0 dscp iface="$1" action="$2" reloadedIface="$3"
- local displayText dispDev dispGw4 dispGw6 dispStatus
-
- if [ "$iface" = 'all' ] && [ "$action" = 'prepare' ]; then
- config_load 'network'
- ifaceMark="$(printf '0x%06x' "$wan_mark")"
- ifacePriority="$wan_ip_rules_priority"
- return 0
- fi
-
- is_supported_interface "$iface" || return 0
- is_wan6 "$iface" && return 0
- [ $((ifaceMark)) -gt $((fw_mask)) ] && return 1
-
- if is_ovpn "$iface" && ! is_valid_ovpn "$iface"; then
- : || state add 'warningSummary' 'warningInvalidOVPNConfig' "$iface"
- fi
-
- network_get_device dev "$iface"
- [ -z "$dev" ] && network_get_physdev dev "$iface"
- if is_wan "$iface" && [ -n "$wanIface6" ] && str_contains "$wanIface6" "$iface"; then
- network_get_device dev6 "$wanIface6"
- [ -z "$dev6" ] && network_get_physdev dev6 "$wanIface6"
- fi
-
- [ -z "$dev6" ] && dev6="$dev"
- [ -z "$ifaceMark" ] && ifaceMark="$(printf '0x%06x' "$wan_mark")"
- [ -z "$ifacePriority" ] && ifacePriority="$wan_ip_rules_priority"
-
- ifaceTableID="$(get_rt_tables_id "$iface")"
- [ -z "$ifaceTableID" ] && ifaceTableID="$(get_rt_tables_next_id)"
- eval "mark_${iface//-/_}"='$ifaceMark'
- eval "tid_${iface//-/_}"='$ifaceTableID'
- pbr_get_gateway gw4 "$iface" "$dev"
- pbr_get_gateway6 gw6 "$iface" "$dev6"
- dispGw4="${gw4:-0.0.0.0}"
- dispGw6="${gw6:-::/0}"
- [ "$iface" != "$dev" ] && dispDev="$dev"
- is_default_dev "$dev" && dispStatus="${__OK__}"
- displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
-
- case "$action" in
- create)
- output 2 "Setting up routing for '$displayText' "
- if interface_routing 'create' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"; then
- json_add_gateway 'create' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" "$dispStatus"
- gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
- output_ok
- else
- state add 'errorSummary' 'errorFailedSetup' "$displayText"
- output_fail
- fi
- ;;
- create_user_set)
- interface_routing 'create_user_set' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"
- ;;
- destroy)
- displayText="${iface}/${dispDev:+$dispDev/}${dispGw4}${ipv6_enabled:+/$dispGw6}"
- output 2 "Removing routing for '$displayText' "
- interface_routing 'destroy' "${ifaceTableID}" "${ifaceMark}" "${iface}"
- output_ok
- ;;
- reload)
- gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
- ;;
- reload_interface)
- if [ "$iface" = "$reloadedIface" ]; then
- output 2 "Reloading routing for '$displayText' "
- if interface_routing 'reload_interface' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority"; then
- json_add_gateway 'reload_interface' "$ifaceTableID" "$ifaceMark" "$iface" "$gw4" "$dev" "$gw6" "$dev6" "$ifacePriority" "$dispStatus"
- gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
- output_ok
- else
- state add 'errorSummary' 'errorFailedReload' "$displayText"
- output_fail
- fi
- else
- gatewaySummary="${gatewaySummary}${displayText}${dispStatus:+ $dispStatus}\\n"
- fi
- ;;
- esac
-# ifaceTableID="$((ifaceTableID + 1))"
- ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))"
- ifacePriority="$((ifacePriority + 1))"
- return $s
-}
-
-user_file_process() {
- local shellBin="${SHELL:-/bin/ash}"
- [ "$enabled" -gt 0 ] || return 0
- if [ ! -s "$path" ]; then
- state add 'errorSummary' 'errorUserFileNotFound' "$path"
- output_fail
- return 1
- fi
- if ! $shellBin -n "$path"; then
- state add 'errorSummary' 'errorUserFileSyntax' "$path"
- output_fail
- return 1
- fi
- output 2 "Running $path "
-# shellcheck disable=SC1090
- if ! . "$path"; then
- state add 'errorSummary' 'errorUserFileRunning' "$path"
- if grep -q -w 'curl' "$path" && ! is_present 'curl'; then
- state add 'errorSummary' 'errorUserFileNoCurl' "$path"
- fi
- output_fail
- return 1
- else
- output_ok
- return 0
- fi
-}
-
-boot() {
- ubus -t 30 wait_for network.interface 2>/dev/null
- rc_procd start_service 'on_boot'
-}
-
-on_firewall_reload() {
- if [ -e "$packageLockFile" ]; then # service is stopped, do not start it on firewall reload
- logger -t "$packageName" "Reload on firewall action aborted: service is stopped."
- return 0
- else
- rc_procd start_service 'on_firewall_reload' "$1"
- fi
-}
-on_interface_reload() {
- if [ -e "$packageLockFile" ]; then # service is stopped, do not start it on interface change
- logger -t "$packageName" "Reload on interface change aborted: service is stopped."
- return 0
- else
- rc_procd start_service 'on_interface_reload' "$1"
- fi
-}
-
-start_service() {
- local resolverStoredHash resolverNewHash i param="$1" reloadedIface
-
- load_environment 'on_start' "$(load_validate_config)" || return 1
- is_wan_up || return 1
- rm -f "$nftTempFile"
-
- case "$param" in
- on_boot)
- serviceStartTrigger='on_start'
- ;;
- on_firewall_reload)
- serviceStartTrigger='on_start'
- ;;
- on_interface_reload)
- reloadedIface="$2"
- if is_ovpn "$reloadedIface"; then
- logger -t "$packageName" "Updated interface is an OpenVPN tunnel, restarting."
- serviceStartTrigger='on_start'
- unset reloadedIface
- else
- serviceStartTrigger='on_interface_reload'
- fi
- ;;
- on_reload)
- serviceStartTrigger='on_reload'
- ;;
- on_restart)
- serviceStartTrigger='on_start'
- ;;
- esac
-
- if [ -n "$reloadedIface" ] && ! is_supported_interface "$reloadedIface"; then
- return 0
- fi
-
- if [ -n "$(ubus_get_status error)" ] || [ -n "$(ubus_get_status warning)" ]; then
- serviceStartTrigger='on_start'
- unset reloadedIface
- elif ! is_service_running; then
- serviceStartTrigger='on_start'
- unset reloadedIface
- elif [ -z "$(ubus_get_status gateway)" ]; then
- serviceStartTrigger='on_start'
- unset reloadedIface
- elif [ "$serviceStartTrigger" = 'on_interface_reload' ] && \
- [ -z "$(ubus_get_interface "$reloadedIface" 'gateway_4')" ] && \
- [ -z "$(ubus_get_interface "$reloadedIface" 'gateway_6')" ]; then
- serviceStartTrigger='on_start'
- unset reloadedIface
- else
- serviceStartTrigger="${serviceStartTrigger:-on_start}"
- fi
-
- procd_open_instance "main"
- procd_set_param command /bin/true
- procd_set_param stdout 1
- procd_set_param stderr 1
- procd_open_data
-
- case $serviceStartTrigger in
- on_interface_reload)
- output 1 "Reloading Interface: $reloadedIface "
- json_add_array 'gateways'
- interface_process 'all' 'prepare'
- config_foreach interface_process 'interface' 'reload_interface' "$reloadedIface"
- json_close_array
- output 1 '\n'
- ;;
- on_reload)
- traffic_killswitch 'insert'
- resolver 'store_hash'
- resolver 'cleanup_all'
- resolver 'configure'
- resolver 'init'
- cleanup_main_chains
- cleanup_sets
- if ! is_nft; then
- for i in $chainsList; do
- i="$(str_to_upper "$i")"
- ipt -t mangle -N "${iptPrefix}_${i}"
- ipt -t mangle "$rule_create_option" "$i" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}"
- done
- fi
- json_add_array 'gateways'
- interface_process 'all' 'prepare'
- config_foreach interface_process 'interface' 'reload'
- interface_process_tor 'tor' 'destroy'
- is_tor_running && interface_process_tor 'tor' 'reload'
- json_close_array
- if is_config_enabled 'policy'; then
- output 1 'Processing policies '
- config_load "$packageName"
- config_foreach load_validate_policy 'policy' policy_process
- output 1 '\n'
- fi
- if is_config_enabled 'include'; then
- interface_process 'all' 'prepare'
- config_foreach interface_process 'interface' 'create_user_set'
- output 1 'Processing user file(s) '
- config_load "$packageName"
- config_foreach load_validate_include 'include' user_file_process
- output 1 '\n'
- fi
- resolver 'init_end'
- resolver 'compare_hash' && resolver 'restart'
- traffic_killswitch 'remove'
- ;;
- on_start|*)
- traffic_killswitch 'insert'
- resolver 'store_hash'
- resolver 'cleanup_all'
- resolver 'configure'
- resolver 'init'
- cleanup_main_chains
- cleanup_sets
- cleanup_marking_chains
- cleanup_rt_tables
- if ! is_nft; then
- for i in $chainsList; do
- i="$(str_to_upper "$i")"
- ipt -t mangle -N "${iptPrefix}_${i}"
- ipt -t mangle "$rule_create_option" "$i" -m mark --mark "0x0/${fw_mask}" -j "${iptPrefix}_${i}"
- done
- fi
- output 1 'Processing interfaces '
- json_add_array 'gateways'
- interface_process 'all' 'prepare'
- config_foreach interface_process 'interface' 'create'
- interface_process_tor 'tor' 'destroy'
- is_tor_running && interface_process_tor 'tor' 'create'
- json_close_array
- ip route flush cache
- output 1 '\n'
- if is_config_enabled 'policy'; then
- output 1 'Processing policies '
- config_load "$packageName"
- config_foreach load_validate_policy 'policy' policy_process
- output 1 '\n'
- fi
- if is_config_enabled 'include'; then
- interface_process 'all' 'prepare'
- config_foreach interface_process 'interface' 'create_user_set'
- output 1 'Processing user file(s) '
- config_load "$packageName"
- config_foreach load_validate_include 'include' user_file_process
- output 1 '\n'
- fi
- resolver 'init_end'
- resolver 'compare_hash' && resolver 'restart'
- traffic_killswitch 'remove'
- ;;
- esac
-
- if [ -z "$gatewaySummary" ]; then
- state add 'errorSummary' 'errorNoGateways'
- fi
- json_add_object 'status'
- [ -n "$gatewaySummary" ] && json_add_string 'gateways' "$gatewaySummary"
- [ -n "$errorSummary" ] && json_add_string 'errors' "$errorSummary"
- [ -n "$warningSummary" ] && json_add_string 'warnings' "$warningSummary"
- if [ "$strict_enforcement" -ne 0 ] && str_contains "$gatewaySummary" '0.0.0.0'; then
- json_add_string 'mode' "strict"
- fi
- json_close_object
- procd_close_data
- procd_close_instance
-}
-
-service_started() {
- if is_nft; then
- [ -n "$gatewaySummary" ] && output "$serviceName (nft) started with gateways:\\n${gatewaySummary}"
- else
- [ -n "$gatewaySummary" ] && output "$serviceName (iptables) started with gateways:\\n${gatewaySummary}"
- fi
- state print 'errorSummary'
- state print 'warningSummary'
- if [ -n "$errorSummary" ]; then
- return 2
- elif [ -n "$warningSummary" ]; then
- return 1
- else
- return 0
- fi
-}
-
-service_triggers() {
- local n
- load_environment 'on_triggers'
-# shellcheck disable=SC2034
- PROCD_RELOAD_DELAY=$(( procd_reload_delay * 1000 ))
- procd_open_validate
- load_validate_config
- load_validate_policy
- load_validate_include
- procd_close_validate
- procd_open_trigger
- procd_add_reload_trigger 'openvpn'
- procd_add_config_trigger "config.change" "${packageName}" /etc/init.d/${packageName} reload
- for n in $ifacesSupported; do
- procd_add_interface_trigger "interface.*" "$n" /etc/init.d/${packageName} on_interface_reload "$n"
- done
- procd_close_trigger
- if [ "$serviceStartTrigger" = 'on_start' ]; then
- output 3 "$serviceName monitoring interfaces: ${ifacesSupported}\\n"
- fi
-}
-
-stop_service() {
- local i
- load_environment 'on_stop'
- is_service_running || return 0
- traffic_killswitch 'insert'
- cleanup_main_chains
- cleanup_sets
- cleanup_marking_chains
- output 1 'Resetting interfaces '
- config_load 'network'
- config_foreach interface_process 'interface' 'destroy'
- interface_process_tor 'tor' 'destroy'
- cleanup_rt_tables
- output 1 "\\n"
- ip route flush cache
- unset ifaceMark
- unset ifaceTableID
- resolver 'store_hash'
- resolver 'cleanup_all'
- resolver 'compare_hash' && resolver 'restart'
- traffic_killswitch 'remove'
- if [ "$enabled" -ne 0 ]; then
- if is_nft; then
- output "$serviceName (nft) stopped "; output_okn;
- else
- output "$serviceName (iptables) stopped "; output_okn;
- fi
- fi
-}
-
-status_service() {
- local _SEPARATOR_='============================================================'
- load_environment 'on_status'
- if is_nft; then
- status_service_nft "$@"
- else
- status_service_iptables "$@"
- fi
-}
-
-status_service_nft() {
- local i dev dev6 wan_tid
-
- json_load "$(ubus call system board)"; json_select release; json_get_var dist distribution; json_get_var vers version
- if [ -n "$wanIface4" ]; then
- network_get_gateway wanGW4 "$wanIface4"
- network_get_device dev "$wanIface4"
- fi
- if [ -n "$wanIface6" ]; then
- network_get_device dev6 "$wanIface6"
- wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}')
- [ "$wanGW6" = "default" ] && wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}')
- fi
- while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; eval "set_$param=1"; shift; done
- [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support"
- status="$serviceName running on $dist $vers."
- [ -n "$wanIface4" ] && status="$status WAN (IPv4): ${wanIface4}/${dev}/${wanGW4:-0.0.0.0}."
- [ -n "$wanIface6" ] && status="$status WAN (IPv6): ${wanIface6}/${dev6}/${wanGW6:-::/0}."
-
- echo "$_SEPARATOR_"
- echo "$packageName - environment"
- echo "$status"
- echo "$_SEPARATOR_"
- dnsmasq --version 2>/dev/null | sed '/^$/,$d'
- echo "$_SEPARATOR_"
- echo "$packageName chains - policies"
- for i in forward input output prerouting postrouting; do
- "$nft" -a list table inet "$nftTable" | sed -n "/chain ${nftPrefix}_${i} {/,/\t}/p"
- done
- echo "$_SEPARATOR_"
- echo "$packageName chains - marking"
- for i in $(get_mark_nft_chains); do
- "$nft" -a list table inet "$nftTable" | sed -n "/chain ${i} {/,/\t}/p"
- done
- echo "$_SEPARATOR_"
- echo "$packageName nft sets"
- for i in $(get_nft_sets); do
- "$nft" -a list table inet "$nftTable" | sed -n "/set ${i} {/,/\t}/p"
- done
- if [ -s "$dnsmasqFile" ]; then
- echo "$_SEPARATOR_"
- echo "dnsmasq sets"
- cat "$dnsmasqFile"
- fi
-# echo "$_SEPARATOR_"
-# ip rule list | grep "${packageName}_"
- echo "$_SEPARATOR_"
- tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0
- wan_tid=$(($(get_rt_tables_next_id)-tableCount))
- i=0; while [ $i -lt "$tableCount" ]; do
- echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)"
- echo "IPv4 table $((wan_tid + i)) rule(s):"
- $ip_bin -4 rule list table "$((wan_tid + i))"
- if [ -n "$ipv6_enabled" ]; then
- echo "IPv6 table $((wan_tid + i)) route: $($ip_bin -6 route show table $((wan_tid + i)) | grep default)"
- echo "IPv6 table $((wan_tid + i)) rule(s):"
- $ip_bin -6 route show table $((wan_tid + i))
- fi
- i=$((i + 1))
- done
-}
-
-status_service_iptables() {
- local dist vers out id s param status set_d set_p tableCount i=0 dev dev6 j wan_tid
-
- json_load "$(ubus call system board)"; json_select release; json_get_var dist distribution; json_get_var vers version
- if [ -n "$wanIface4" ]; then
- network_get_gateway wanGW4 "$wanIface4"
- network_get_device dev "$wanIface4"
- fi
- if [ -n "$wanIface6" ]; then
- network_get_device dev6 "$wanIface6"
- wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $1}')
- [ "$wanGW6" = "default" ] && wanGW6=$($ip_bin -6 route show | grep -m1 " dev $dev6 " | awk '{print $3}')
- fi
- while [ "${1:0:1}" = "-" ]; do param="${1//-/}"; eval "set_$param=1"; shift; done
- [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support"
- status="$serviceName running on $dist $vers."
- [ -n "$wanIface4" ] && status="$status WAN (IPv4): ${wanIface4}/${dev}/${wanGW4:-0.0.0.0}."
- [ -n "$wanIface6" ] && status="$status WAN (IPv6): ${wanIface6}/${dev6}/${wanGW6:-::/0}."
- {
- echo "$status"
- echo "$_SEPARATOR_"
- dnsmasq --version 2>/dev/null | sed '/^$/,$d'
- if [ -n "$1" ]; then
- echo "$_SEPARATOR_"
- echo "Resolving domains"
- for i in $1; do
- echo "$i: $(resolveip "$i" | tr '\n' ' ')"
- done
- fi
-
- echo "$_SEPARATOR_"
- echo "Routes/IP Rules"
- tableCount="$(grep -c "${packageName}_" /etc/iproute2/rt_tables)" || tableCount=0
- if [ -n "$set_d" ]; then route; else route | grep '^default'; fi
- if [ -n "$set_d" ]; then ip rule list; fi
- wan_tid=$(($(get_rt_tables_next_id)-tableCount))
- i=0; while [ $i -lt "$tableCount" ]; do
- echo "IPv4 table $((wan_tid + i)) route: $($ip_bin -4 route show table $((wan_tid + i)) | grep default)"
- echo "IPv4 table $((wan_tid + i)) rule(s):"
- $ip_bin -4 rule list table "$((wan_tid + i))"
- i=$((i + 1))
- done
-
- if [ -n "$ipv6_enabled" ]; then
- i=0; while [ $i -lt "$tableCount" ]; do
- $ip_bin -6 route show table $((wan_tid + i)) | while read -r param; do
- echo "IPv6 Table $((wan_tid + i)): $param"
- done
- i=$((i + 1))
- done
- fi
-
- for j in Mangle NAT; do
- if [ -z "$set_d" ]; then
- for i in $chainsList; do
- i="$(str_to_upper "$i")"
- if iptables -v -t "$(str_to_lower $j)" -S "${iptPrefix}_${i}" >/dev/null 2>&1; then
- echo "$_SEPARATOR_"
- echo "$j IP Table: $i"
- iptables -v -t "$(str_to_lower $j)" -S "${iptPrefix}_${i}"
- if [ -n "$ipv6_enabled" ]; then
- echo "$_SEPARATOR_"
- echo "$j IPv6 Table: $i"
- iptables -v -t "$(str_to_lower $j)" -S "${iptPrefix}_${i}"
- fi
- fi
- done
- else
- echo "$_SEPARATOR_"
- echo "$j IP Table"
- iptables -L -t "$(str_to_lower $j)"
- if [ -n "$ipv6_enabled" ]; then
- echo "$_SEPARATOR_"
- echo "$j IPv6 Table"
- iptables -L -t "$(str_to_lower $j)"
- fi
- fi
- i=0; ifaceMark="$wan_mark";
- while [ $i -lt "$tableCount" ]; do
- if iptables -v -t "$(str_to_lower $j)" -S "${iptPrefix}_MARK_${ifaceMark}" >/dev/null 2>&1; then
- echo "$_SEPARATOR_"
- echo "$j IP Table MARK Chain: ${iptPrefix}_MARK_${ifaceMark}"
- iptables -v -t "$(str_to_lower $j)" -S "${iptPrefix}_MARK_${ifaceMark}"
- ifaceMark="$(printf '0x%06x' $((ifaceMark + wan_mark)))";
- fi
- i=$((i + 1))
- done
- done
-
- echo "$_SEPARATOR_"
- echo "Current ipsets"
- ipset save
- if [ -s "$dnsmasqFile" ]; then
- echo "$_SEPARATOR_"
- echo "DNSMASQ sets"
- cat "$dnsmasqFile"
- fi
- if [ -s "$aghIpsetFile" ]; then
- echo "$_SEPARATOR_"
- echo "AdGuardHome sets"
- cat "$aghIpsetFile"
- fi
- echo "$_SEPARATOR_"
- } | tee -a /var/${packageName}-support
- if [ -n "$set_p" ]; then
- printf "%b" "Pasting to paste.ee... "
- if is_present 'curl' && is_variant_installed 'libopenssl' && is_installed 'ca-bundle'; then
- json_init; json_add_string "description" "${packageName}-support"
- json_add_array "sections"; json_add_object '0'
- json_add_string "name" "$(uci -q get system.@system[0].hostname)"
- json_add_string "contents" "$(cat /var/${packageName}-support)"
- json_close_object; json_close_array; payload=$(json_dump)
- out=$(curl -s -k "https://api.paste.ee/v1/pastes" -X "POST" -H "Content-Type: application/json" -H "X-Auth-Token:uVOJt6pNqjcEWu7qiuUuuxWQafpHhwMvNEBviRV2B" -d "$payload")
- json_load "$out"; json_get_var id id; json_get_var s success
- [ "$s" = "1" ] && printf "%b" "https://paste.ee/p/$id $__OK__\\n" || printf "%b" "$__FAIL__\\n"
- [ -e "/var/${packageName}-support" ] && rm -f "/var/${packageName}-support"
- else
- printf "%b" "${__FAIL__}\\n"
- printf "%b" "${_ERROR_}: The curl, libopenssl or ca-bundle packages were not found!\\nRun 'opkg update; opkg install curl libopenssl ca-bundle' to install them.\\n"
- fi
- else
- printf "%b" "Your support details have been logged to '/var/${packageName}-support'. $__OK__\\n"
- fi
-}
-
-# shellcheck disable=SC2120
-load_validate_config() {
- uci_load_validate "$packageName" "$packageName" "$1" "${2}${3:+ $3}" \
- 'enabled:bool:0' \
- 'procd_boot_delay:integer:0' \
- 'strict_enforcement:bool:1' \
- 'secure_reload:bool:0' \
- 'ipv6_enabled:bool:0' \
- 'resolver_set:or("", "none", "dnsmasq.ipset", "dnsmasq.nftset")' \
- 'verbosity:range(0,2):1' \
- "wan_mark:regex('0x[A-Fa-f0-9]{8}'):0x010000" \
- "fw_mask:regex('0x[A-Fa-f0-9]{8}'):0xff0000" \
- 'icmp_interface:or("", "tor", uci("network", "@interface"))' \
- 'ignored_interface:list(or("tor", uci("network", "@interface")))' \
- 'supported_interface:list(or("tor", uci("network", "@interface")))' \
- 'boot_timeout:integer:30' \
- 'wan_ip_rules_priority:uinteger:30000' \
- 'rule_create_option:or("", "add", "insert"):add' \
- 'procd_reload_delay:integer:0' \
- 'webui_supported_protocol:list(string)' \
- 'nft_user_set_policy:or("", "memory", "performance")'\
- 'nft_user_set_counter:bool:0'
-}
-
-# shellcheck disable=SC2120
-load_validate_policy() {
- local name
- local enabled
- local interface
- local proto
- local chain
- local src_addr
- local src_port
- local dest_addr
- local dest_port
- uci_load_validate "$packageName" 'policy' "$1" "${2}${3:+ $3}" \
- 'name:string:Untitled' \
- 'enabled:bool:1' \
- 'interface:or("ignore", "tor", uci("network", "@interface")):wan' \
- 'proto:or(string)' \
- 'chain:or("", "forward", "input", "output", "prerouting", "postrouting", "FORWARD", "INPUT", "OUTPUT", "PREROUTING", "POSTROUTING"):prerouting' \
- 'src_addr:list(neg(or(host,network,macaddr,string)))' \
- 'src_port:list(neg(or(portrange,string)))' \
- 'dest_addr:list(neg(or(host,network,string)))' \
- 'dest_port:list(neg(or(portrange,string)))'
-}
-
-# shellcheck disable=SC2120
-load_validate_include() {
- local path=
- local enabled=
- uci_load_validate "$packageName" 'include' "$1" "${2}${3:+ $3}" \
- 'path:file' \
- 'enabled:bool:0'
-}
--- /dev/null
+#!/bin/sh
+# shellcheck disable=SC2015,SC3037,SC3043
+
+readonly pbrFunctionsFile='/etc/init.d/pbr'
+if [ -s "$pbrFunctionsFile" ]; then
+# shellcheck source=../../etc/init.d/pbr
+ . "$pbrFunctionsFile"
+else
+ printf "%b: pbr init.d file (%s) not found! \n" '\033[0;31mERROR\033[0m' "$pbrFunctionsFile"
+fi
+
+# Transition resolver_set depending on dnsmasq support
+if [ "$(uci_get pbr config resolver_set)" != 'dnsmasq.ipset' ] && [ "$(uci_get pbr config resolver_set)" != 'adguardhome.ipset' ]; then
+ if check_agh_ipset; then
+ output "Setting resolver_set to 'adguardhome.ipset'... "
+ uci_set pbr config resolver_set 'adguardhome.ipset' && output_okn || output_failn
+ elif check_dnsmasq_ipset; then
+ output "Setting resolver_set to 'dnsmasq.ipset'... "
+ uci_set pbr config resolver_set 'dnsmasq.ipset' && output_okn || output_failn
+ else
+ output "Setting resolver_set to 'none'... "
+ uci_set pbr config resolver_set 'none' && output_okn || output_failn
+ fi
+ uci_commit pbr
+fi
+
+exit 0
--- /dev/null
+#!/bin/sh
+# shellcheck disable=SC3037,SC3043
+
+readonly pbrFunctionsFile='/etc/init.d/pbr'
+if [ -s "$pbrFunctionsFile" ]; then
+# shellcheck source=../../etc/init.d/pbr
+ . "$pbrFunctionsFile"
+else
+ printf "%b: pbr init.d file (%s) not found! \n" '\033[0;31mERROR\033[0m' "$pbrFunctionsFile"
+fi
+
+# shellcheck disable=SC2317
+pbr_iface_setup() {
+ local iface="${1}"
+ local proto
+ if is_supported_interface "${iface}"; then
+ output "Setting up ${packageName} routing tables for ${iface}... "
+ uci_set 'network' "${iface}" 'ip4table' "${ipTablePrefix}_${iface%6}"
+ uci_set 'network' "${iface}" 'ip6table' "${ipTablePrefix}_${iface%6}"
+ if ! grep -q -E -e "^[0-9]+\s+${ipTablePrefix}_${iface%6}$" "$rtTablesFile"; then
+ sed -i -e "\$a $(($(sort -r -n "$rtTablesFile" | grep -o -E -m 1 "^[0-9]+")+1))\t${ipTablePrefix}_${iface%6}" \
+ "$rtTablesFile"
+ fi
+ output_okbn
+ fi
+}
+
+sed -i "/${ipTablePrefix}_/d" "$rtTablesFile"
+sync
+config_load network
+config_foreach pbr_iface_setup interface
+uci_commit network
+sync
+output "Restarting network... "
+/etc/init.d/network restart
+output_okn
+
+exit 0
--- /dev/null
+#!/bin/sh
+# shellcheck disable=SC2015,SC3037,SC3043
+
+readonly pbrFunctionsFile='/etc/init.d/pbr'
+if [ -s "$pbrFunctionsFile" ]; then
+# shellcheck source=../../etc/init.d/pbr
+ . "$pbrFunctionsFile"
+else
+ printf "%b: pbr init.d file (%s) not found! \n" '\033[0;31mERROR\033[0m' "$pbrFunctionsFile"
+fi
+
+# Transition resolver_set depending on dnsmasq support
+if [ "$(uci_get pbr config resolver_set)" != 'dnsmasq.nftset' ]; then
+ if check_dnsmasq_nftset; then
+ output "Setting resolver_set to 'dnsmasq.nftset'... "
+ uci_set pbr config resolver_set 'dnsmasq.nftset' && output_okn || output_failn
+ elif check_agh_ipset; then
+ output "Setting resolver_set to 'adguardhome.ipset'... "
+ uci_set pbr config resolver_set 'adguardhome.ipset' && output_okn || output_failn
+ elif check_dnsmasq_ipset; then
+ output "Setting resolver_set to 'dnsmasq.ipset'... "
+ uci_set pbr config resolver_set 'dnsmasq.ipset' && output_okn || output_failn
+ else
+ output "Setting resolver_set to 'none'... "
+ uci_set pbr config resolver_set 'none' && output_okn || output_failn
+ fi
+ uci_commit pbr
+fi
+
+exit 0
PKG_NAME:=pdns
PKG_VERSION:=4.9.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://downloads.powerdns.com/releases/
--- /dev/null
+commit c6b1e59f3b413493551910a7d0a3e9206d488599
+Author: Chris Hofstaedtler <chris.hofstaedtler@deduktiva.com>
+Date: Sat Apr 6 23:51:35 2024 +0200
+
+ auth dnsproxy: fix build on s390x
+
+--- a/pdns/dnsproxy.cc
++++ b/pdns/dnsproxy.cc
+@@ -240,10 +240,11 @@ void DNSProxy::mainloop()
+ memcpy(&dHead, &buffer[0], sizeof(dHead));
+ {
+ auto conntrack = d_conntrack.lock();
+-#if BYTE_ORDER == BIG_ENDIAN
+- // this is needed because spoof ID down below does not respect the native byteorder
+- d.id = (256 * (uint16_t)buffer[1]) + (uint16_t)buffer[0];
+-#endif
++ if (BYTE_ORDER == BIG_ENDIAN) {
++ // this is needed because spoof ID down below does not respect the native byteorder
++ dHead.id = (256 * (uint16_t)buffer[1]) + (uint16_t)buffer[0];
++ }
++
+ auto iter = conntrack->find(dHead.id ^ d_xor);
+ if (iter == conntrack->end()) {
+ g_log << Logger::Error << "Discarding untracked packet from recursor backend with id " << (dHead.id ^ d_xor) << ". Conntrack table size=" << conntrack->size() << endl;
prompt "Enable zstd stream compression"
default n
+ config RSYNC_lz4
+ bool
+ prompt "Enable lz4, extremely fast compression"
+ default n
+
+ config RSYNC_xxhash
+ bool
+ prompt "Enable xxhash, extremely fast hash"
+ default n
+
endif
include $(TOPDIR)/rules.mk
PKG_NAME:=rsync
-PKG_VERSION:=3.2.7
-PKG_RELEASE:=1
+PKG_VERSION:=3.3.0
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://download.samba.org/pub/$(PKG_NAME)/src
-PKG_HASH:=4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb
+PKG_HASH:=7399e9a6708c32d678a72a63219e96f23be0be2336e50fd1348498d07041df90
PKG_MAINTAINER:=Maxim Storchak <m.storchak@gmail.com>
PKG_LICENSE:=GPL-3.0-or-later
SECTION:=net
CATEGORY:=Network
SUBMENU:=File Transfer
- TITLE:=Fast remote file copy program (like rcp)
- DEPENDS:=+libpopt +zlib +RSYNC_xattr:libattr +RSYNC_acl:libacl +RSYNC_zstd:libzstd $(ICONV_DEPENDS)
+ TITLE:=an open source utility that provides fast incremental file transfer
+ DEPENDS:=+libpopt +zlib +RSYNC_xattr:libattr +RSYNC_acl:libacl +RSYNC_zstd:libzstd +RSYNC_xxhash:libxxhash +RSYNC_lz4:liblz4 $(ICONV_DEPENDS)
URL:=https://rsync.samba.org/
MENU:=1
endef
--without-included-zlib \
--disable-debug \
--disable-asm \
- --disable-lz4 \
--disable-locale \
--disable-md2man \
--disable-openssl \
--disable-simd \
--disable-roll-simd \
- --disable-xxhash \
--$(if $(CONFIG_BUILD_NLS),en,dis)able-iconv \
--$(if $(CONFIG_BUILD_NLS),en,dis)able-iconv-open \
--$(if $(CONFIG_RSYNC_zstd),en,dis)able-zstd \
+ --$(if $(CONFIG_RSYNC_lz4),en,dis)able-lz4 \
--$(if $(CONFIG_RSYNC_xattr),en,dis)able-xattr-support \
--$(if $(CONFIG_RSYNC_acl),en,dis)able-acl-support \
+ --$(if $(CONFIG_RSYNC_xxhash),en,dis)able-xxhash \
$(if $(CONFIG_IPV6),,--disable-ipv6)
define Package/rsyncd
include $(TOPDIR)/rules.mk
PKG_NAME:=snort3
-PKG_VERSION:=3.1.82.0
-PKG_RELEASE:=2
+PKG_VERSION:=3.1.84.0
+PKG_RELEASE:=1
-PKG_SOURCE:=$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/
-PKG_HASH:=64304315e1c172b80cb9fef8c27fa457357329ecf02ee27a6604a79fd6cfa10f
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=$(PKG_VERSION)
+PKG_SOURCE_URL:=https://github.com/snort3/snort3
+PKG_MIRROR_HASH:=ffa69fdd95c55a943ab4dd782923caf31937dd8ad29e202d7fe781373ed84444
PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>, John Audia <therealgraysky@proton.me>
PKG_LICENSE:=GPL-2.0-only
attacks.
endef
-# Hyperscan and gperftools only builds for x86
-ifdef CONFIG_TARGET_x86_64
- CMAKE_OPTIONS += -DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs
-endif
-
# Hyperscan and gperftools only builds for x86
ifdef CONFIG_TARGET_x86_64
CMAKE_OPTIONS += -DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs \
wrn(`Invalid item type '${type}', must be one of "enum", "range", "path" or "str".`);
return;
}
+ if (type == "enum") {
+ // Convert values to strings, so 'in' works in 'contains'.
+ values = map(values, function(i) { return "" + i; });
+ }
if (type == "range" && (length(values) != 2 || values[0] > values[1])) {
wrn(`A 'range' type item must have exactly 2 values in ascending order.`);
return;
--- a/src/network_inspectors/packet_capture/packet_capture.h
+++ b/src/network_inspectors/packet_capture/packet_capture.h
-@@ -21,6 +21,7 @@
- #define PACKET_CAPTURE_H
+@@ -22,6 +22,7 @@
+ #include <cstdint>
#include <string>
+#include <cstdint>
include $(TOPDIR)/rules.mk
PKG_NAME:=socat
-PKG_VERSION:=1.7.4.4
-PKG_RELEASE:=1
+PKG_VERSION:=1.8.0.0
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.dest-unreach.org/socat/download
-PKG_HASH:=fbd42bd2f0e54a3af6d01bdf15385384ab82dbc0e4f1a5e153b3e0be1b6380ac
+PKG_HASH:=e1de683dd22ee0e3a6c6bbff269abe18ab0c9d7eb650204f125155b9005faca7
PKG_MAINTAINER:=Ted Hess <thess@kitschensync.net>
PKG_LICENSE:=GPL-2.0-or-later OpenSSL
--disable-readline \
--enable-termios
+## procan.c fails to compile when ccache is enabled
+MAKE_FLAGS += CC="$(TARGET_CC_NOCACHE)"
+
ifneq ($(CONFIG_SOCAT_SSL),y)
CONFIGURE_ARGS+= --disable-openssl
endif
include $(TOPDIR)/rules.mk
PKG_NAME:=squid
-PKG_VERSION:=6.8
+PKG_VERSION:=6.9
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://www2.pl.squid-cache.org/Versions/v6/ \
http://www.squid-cache.org/Versions/v6/
-PKG_HASH:=11cc5650b51809d99483ccfae24744a2e51cd16199f5ff0c917e84fce695870f
+PKG_HASH:=1ad72d46e1cb556e9561214f0fb181adb87c7c47927ef69bc8acd68a03f61882
PKG_MAINTAINER:=Marko Ratkaj <markoratkaj@gmail.com>
PKG_LICENSE:=GPL-2.0-or-later
include $(TOPDIR)/rules.mk
PKG_NAME:=tailscale
-PKG_VERSION:=1.62.1
+PKG_VERSION:=1.64.2
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/tailscale/tailscale/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=22737fae37e971fecdf49d6b741b99988868aa3f1e683e67e14b872a2c49ca1c
+PKG_HASH:=e5e46f6b6b716b2c4696dce0b92dc2e36f02b06b7ad9f055042a820ad61b2a47
PKG_MAINTAINER:=Jan Pavlinec <jan.pavlinec1@gmail.com>
PKG_LICENSE:=BSD-3-Clause
include $(TOPDIR)/rules.mk
PKG_NAME:=tor
-PKG_VERSION:=0.4.8.10
+PKG_VERSION:=0.4.8.11
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://dist.torproject.org/ \
https://archive.torproject.org/tor-package-archive
-PKG_HASH:=e628b4fab70edb4727715b23cf2931375a9f7685ac08f2c59ea498a178463a86
+PKG_HASH:=8f2bdf90e63380781235aa7d604e159570f283ecee674670873d8bb7052c8e07
PKG_MAINTAINER:=Hauke Mehrtens <hauke@hauke-m.de> \
Peter Wagner <tripolar@gmx.at>
PKG_LICENSE:=BSD-3-Clause
PKG_NAME:=UDPspeeder
PKG_VERSION:=20230206.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://codeload.github.com/wangyu-/$(PKG_NAME)/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=c6b0c45e971360b25cd49be0369e94b2fb12f649d39c7e60c172c14a9e3a4e0d
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=$(PKG_VERSION)
+PKG_SOURCE_URL:=https://github.com/wangyu-/UDPspeeder
+PKG_MIRROR_HASH:=8196a07089112a164ea07cc95806f79075bd1b12cc7af5316e2793421bb2cfbf
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE
MAKE_FLAGS += cross
define Build/Prepare
- $(PKG_UNPACK)
+ $(Build/Prepare/Default)
sed -i 's/cc_cross=.*/cc_cross=$(TARGET_CXX)/g' $(PKG_BUILD_DIR)/makefile
sed -i '/\gitversion/d' $(PKG_BUILD_DIR)/makefile
echo 'const char * const gitversion = "$(PKG_VERSION)";' > $(PKG_BUILD_DIR)/git_version.h
- $(Build/Patch)
endef
define Package/UDPspeeder/install
include $(TOPDIR)/rules.mk
PKG_NAME:=uwsgi
-PKG_VERSION:=2.0.22
+PKG_VERSION:=2.0.25.1
PKG_RELEASE:=1
PYPI_NAME:=uWSGI
PYPI_SOURCE_NAME:=uwsgi
-PKG_HASH:=4cc4727258671ac5fa17ab422155e9aaef8a2008ebb86e4404b66deaae965db2
+PKG_HASH:=d653d2d804c194c8cbe2585fa56efa2650313ae75c686a9d7931374d4dfbfc6e
PKG_LICENSE:=GPL-2.0-or-later
PKG_LICENSE_FILES:=LICENSE
-PKG_MAINTAINER:=Ansuel Smith <ansuelsmth@gmail.com>
+PKG_MAINTAINER:=Christian Marangi <ansuelsmth@gmail.com>
PKG_BUILD_DEPENDS:=python3/host
PYTHON3_PKG_BUILD:=0
--- a/uwsgiconfig.py
+++ b/uwsgiconfig.py
-@@ -859,11 +859,11 @@ class uConf(object):
+@@ -863,11 +863,11 @@ class uConf(object):
self.cflags.append('-DUWSGI_HAS_EXECINFO')
report['execinfo'] = True
--- a/uwsgiconfig.py
+++ b/uwsgiconfig.py
-@@ -688,7 +688,7 @@ class uConf(object):
+@@ -684,7 +684,6 @@ class uConf(object):
self.include_path += os.environ['UWSGI_INCLUDES'].split(',')
-
-- self.cflags = ['-O2', '-I.', '-Wall', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64'] + os.environ.get("CFLAGS", "").split() + self.get('cflags','').split()
-+ self.cflags = ['-I.', '-Wall', '-D_LARGEFILE_SOURCE', '-D_FILE_OFFSET_BITS=64'] + os.environ.get("CFLAGS", "").split() + self.get('cflags','').split()
-
- report['kernel'] = uwsgi_os
-
+ cflags = [
+- '-O2',
+ '-I.',
+ '-Wall',
+ '-D_LARGEFILE_SOURCE',
--- a/uwsgiconfig.py
+++ b/uwsgiconfig.py
-@@ -5,9 +5,9 @@ uwsgi_version = '2.0.22'
+@@ -5,9 +5,9 @@ uwsgi_version = '2.0.25.1'
import os
import re
import time
+++ /dev/null
-From bad0edfc10a80de908a3d83c7f075eff8df3a691 Mon Sep 17 00:00:00 2001
-From: Riccardo Magliocchetti <riccardo.magliocchetti@gmail.com>
-Date: Wed, 14 Jan 2015 21:19:24 +0100
-Subject: [PATCH] core/alarm: fix memory leak
-
-Reported by Coverity as CID #971006
----
- core/alarm.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/core/alarm.c
-+++ b/core/alarm.c
-@@ -171,6 +171,7 @@ static int uwsgi_alarm_log_add(char *ala
-
- ual = uwsgi_calloc(sizeof(struct uwsgi_alarm_log));
- if (uwsgi_regexp_build(regexp, &ual->pattern, &ual->pattern_extra)) {
-+ free(ual);
- return -1;
- }
- ual->negate = negate;
{"ssl-enable-tlsv1", no_argument, 0, "enable TLSv1 (insecure)", uwsgi_opt_true, &uwsgi.tlsv1, 0},
- {"ssl-option", no_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0},
+ {"ssl-option", required_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0},
- #ifdef UWSGI_PCRE
+ #if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
{"sni-regexp", required_argument, 0, "add an SNI-governed SSL context (the key is a regexp)", uwsgi_opt_sni, NULL, 0},
#endif
--- a/core/uwsgi.c
+++ b/core/uwsgi.c
-@@ -1825,7 +1825,7 @@ void uwsgi_plugins_atexit(void) {
+@@ -1794,7 +1794,7 @@ void uwsgi_plugins_atexit(void) {
void uwsgi_backtrace(int depth) {
+++ /dev/null
-From 7835662f76831a76e4cc04791fcf2ee1ea725931 Mon Sep 17 00:00:00 2001
-From: Riccardo Magliocchetti <riccardo.magliocchetti@gmail.com>
-Date: Tue, 25 Jul 2023 16:17:52 +0200
-Subject: [PATCH 01/12] uwsgiconfig: prepare for pcre2
-
----
- uwsgiconfig.py | 45 ++++++++++++++++++++++-----------------------
- 1 file changed, 22 insertions(+), 23 deletions(-)
-
---- a/uwsgiconfig.py
-+++ b/uwsgiconfig.py
-@@ -1079,30 +1079,29 @@ class uConf(object):
-
- has_pcre = False
-
-- # re-enable after pcre fix
-- if self.get('pcre'):
-- if self.get('pcre') == 'auto':
-- pcreconf = spcall('pcre-config --libs')
-- if pcreconf:
-- self.libs.append(pcreconf)
-- pcreconf = spcall("pcre-config --cflags")
-- self.cflags.append(pcreconf)
-- self.gcc_list.append('core/regexp')
-- self.cflags.append("-DUWSGI_PCRE")
-- has_pcre = True
--
-+ required_pcre = self.get('pcre')
-+ if required_pcre:
-+ pcre_libs = spcall('pcre2-config --libs8')
-+ if pcre_libs:
-+ pcre_cflags = spcall("pcre2-config --cflags")
-+ pcre_define = "-DUWSGI_PCRE2"
- else:
-- pcreconf = spcall('pcre-config --libs')
-- if pcreconf is None:
-- print("*** libpcre headers unavailable. uWSGI build is interrupted. You have to install pcre development package or disable pcre")
-- sys.exit(1)
-- else:
-- self.libs.append(pcreconf)
-- pcreconf = spcall("pcre-config --cflags")
-- self.cflags.append(pcreconf)
-- self.gcc_list.append('core/regexp')
-- self.cflags.append("-DUWSGI_PCRE")
-- has_pcre = True
-+ pcre_libs = spcall('pcre-config --libs')
-+ pcre_cflags = spcall("pcre-config --cflags")
-+ pcre_define = "-DUWSGI_PCRE"
-+ else:
-+ pcre_libs = None
-+
-+ if required_pcre:
-+ if required_pcre != 'auto' and pcre_libs is None:
-+ print("*** libpcre headers unavailable. uWSGI build is interrupted. You have to install pcre development package or disable pcre")
-+ sys.exit(1)
-+
-+ self.libs.append(pcre_libs)
-+ self.cflags.append(pcre_cflags)
-+ self.gcc_list.append('core/regexp')
-+ self.cflags.append(pcre_define)
-+ has_pcre = True
-
- if has_pcre:
- report['pcre'] = True
---- a/core/alarm.c
-+++ b/core/alarm.c
-@@ -160,7 +160,7 @@ static struct uwsgi_alarm_instance *uwsg
- }
-
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- static int uwsgi_alarm_log_add(char *alarms, char *regexp, int negate) {
-
- struct uwsgi_alarm_log *old_ual = NULL, *ual = uwsgi.alarm_logs;
-@@ -170,7 +170,7 @@ static int uwsgi_alarm_log_add(char *ala
- }
-
- ual = uwsgi_calloc(sizeof(struct uwsgi_alarm_log));
-- if (uwsgi_regexp_build(regexp, &ual->pattern, &ual->pattern_extra)) {
-+ if (uwsgi_regexp_build(regexp, &ual->pattern)) {
- free(ual);
- return -1;
- }
-@@ -331,7 +331,7 @@ void uwsgi_alarms_init() {
- usl = usl->next;
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- // then map log-alarm
- usl = uwsgi.alarm_logs_list;
- while (usl) {
-@@ -377,14 +377,14 @@ void uwsgi_alarm_trigger_uai(struct uwsg
- }
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- // check if a log should raise an alarm
- void uwsgi_alarm_log_check(char *msg, size_t len) {
- if (!uwsgi_strncmp(msg, len, "[uwsgi-alarm", 12))
- return;
- struct uwsgi_alarm_log *ual = uwsgi.alarm_logs;
- while (ual) {
-- if (uwsgi_regexp_match(ual->pattern, ual->pattern_extra, msg, len) >= 0) {
-+ if (uwsgi_regexp_match(ual->pattern, msg, len) >= 0) {
- if (!ual->negate) {
- struct uwsgi_alarm_ll *uall = ual->alarms;
- while (uall) {
---- a/core/logging.c
-+++ b/core/logging.c
-@@ -414,7 +414,7 @@ void uwsgi_setup_log_master(void) {
- usl = usl->next;
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- // set logger by its id
- struct uwsgi_regexp_list *url = uwsgi.log_route;
- while (url) {
-@@ -1398,11 +1398,11 @@ int uwsgi_master_log(void) {
-
- ssize_t rlen = read(uwsgi.shared->worker_log_pipe[0], uwsgi.log_master_buf, uwsgi.log_master_bufsize);
- if (rlen > 0) {
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- uwsgi_alarm_log_check(uwsgi.log_master_buf, rlen);
- struct uwsgi_regexp_list *url = uwsgi.log_drain_rules;
- while (url) {
-- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
-+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
- return 0;
- }
- url = url->next;
-@@ -1411,7 +1411,7 @@ int uwsgi_master_log(void) {
- int show = 0;
- url = uwsgi.log_filter_rules;
- while (url) {
-- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
-+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
- show = 1;
- break;
- }
-@@ -1424,7 +1424,7 @@ int uwsgi_master_log(void) {
- url = uwsgi.log_route;
- int finish = 0;
- while (url) {
-- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
-+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
- struct uwsgi_logger *ul_route = (struct uwsgi_logger *) url->custom_ptr;
- if (ul_route) {
- uwsgi_log_func_do(uwsgi.requested_log_encoders, ul_route, uwsgi.log_master_buf, rlen);
-@@ -1464,11 +1464,11 @@ int uwsgi_master_req_log(void) {
-
- ssize_t rlen = read(uwsgi.shared->worker_req_log_pipe[0], uwsgi.log_master_buf, uwsgi.log_master_bufsize);
- if (rlen > 0) {
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- struct uwsgi_regexp_list *url = uwsgi.log_req_route;
- int finish = 0;
- while (url) {
-- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, uwsgi.log_master_buf, rlen) >= 0) {
-+ if (uwsgi_regexp_match(url->pattern, uwsgi.log_master_buf, rlen) >= 0) {
- struct uwsgi_logger *ul_route = (struct uwsgi_logger *) url->custom_ptr;
- if (ul_route) {
- uwsgi_log_func_do(uwsgi.requested_log_req_encoders, ul_route, uwsgi.log_master_buf, rlen);
---- a/core/regexp.c
-+++ b/core/regexp.c
-@@ -1,4 +1,4 @@
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- #include "uwsgi.h"
-
- extern struct uwsgi_server uwsgi;
-@@ -13,48 +13,110 @@ void uwsgi_opt_pcre_jit(char *opt, char
- #endif
- }
-
--int uwsgi_regexp_build(char *re, pcre ** pattern, pcre_extra ** pattern_extra) {
-+int uwsgi_regexp_build(char *re, uwsgi_pcre ** pattern) {
-
-+#ifdef UWSGI_PCRE2
-+ int errnbr;
-+ long unsigned int erroff;
-+
-+ *pattern = pcre2_compile((const unsigned char *) re, PCRE2_ZERO_TERMINATED, 0, &errnbr, &erroff, NULL);
-+#else
- const char *errstr;
- int erroff;
-
-- *pattern = pcre_compile((const char *) re, 0, &errstr, &erroff, NULL);
-- if (!*pattern) {
-+ *pattern = uwsgi_malloc(sizeof(uwsgi_pcre));
-+ (*pattern)->p = pcre_compile((const char *) re, 0, &errstr, &erroff, NULL);
-+#endif
-+#ifdef UWSGI_PCRE2
-+ if (!(*pattern)) {
-+ uwsgi_log("pcre error: code %d at offset %d\n", errnbr, erroff);
-+#else
-+ if (!((*pattern)->p)) {
- uwsgi_log("pcre error: %s at offset %d\n", errstr, erroff);
-+#endif
- return -1;
- }
-
-+#ifdef UWSGI_PCRE2
-+ if (uwsgi.pcre_jit) {
-+ errnbr = pcre2_jit_compile(*pattern, PCRE2_JIT_COMPLETE);
-+ if (errnbr) {
-+ pcre2_code_free(*pattern);
-+ uwsgi_log("pcre JIT compile error code %d\n", errnbr);
-+ return -1;
-+ }
-+#else
- int opt = uwsgi.pcre_jit;
-
-- *pattern_extra = (pcre_extra *) pcre_study((const pcre *) *pattern, opt, &errstr);
-- if (*pattern_extra == NULL && errstr != NULL) {
-- pcre_free(*pattern);
-+ (*pattern)->extra = (pcre_extra *) pcre_study((const pcre *) (*pattern)->p, opt, &errstr);
-+ if ((*pattern)->extra == NULL && errstr != NULL) {
-+ pcre_free((*pattern)->p);
-+ free(*pattern);
- uwsgi_log("pcre (study) error: %s\n", errstr);
- return -1;
-+#endif
- }
-
- return 0;
-
- }
-
--int uwsgi_regexp_match(pcre * pattern, pcre_extra * pattern_extra, char *subject, int length) {
--
-- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, NULL, 0);
-+int uwsgi_regexp_match(uwsgi_pcre *pattern, const char *subject, int length) {
-+#ifdef UWSGI_PCRE2
-+ return pcre2_match(pattern, (const unsigned char *)subject, length, 0, 0, NULL, NULL);
-+#else
-+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, NULL, 0);
-+#endif
- }
-
--int uwsgi_regexp_match_ovec(pcre * pattern, pcre_extra * pattern_extra, char *subject, int length, int *ovec, int n) {
-+int uwsgi_regexp_match_ovec(uwsgi_pcre *pattern, const char *subject, int length, int *ovec, int n) {
-+
-+#ifdef UWSGI_PCRE2
-+ int rc;
-+ int i;
-+ pcre2_match_data *match_data;
-+ size_t *pcre2_ovec;
-+
-+ match_data = pcre2_match_data_create_from_pattern(pattern, NULL);
-+ rc = pcre2_match(pattern, (const unsigned char *)subject, length, 0, 0, match_data, NULL);
-
-+ /*
-+ * Quoting PCRE{,2} spec, "The first pair of integers, ovector[0]
-+ * and ovector[1], identify the portion of the subject string matched
-+ * by the entire pattern. The next pair is used for the first capturing
-+ * subpattern, and so on." Therefore, the ovector size is the number of
-+ * capturing subpatterns (INFO_CAPTURECOUNT), from uwsgi_regexp_ovector(),
-+ * as matching pairs, plus room for the first pair.
-+ */
- if (n > 0) {
-- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, ovec, (n + 1) * 3);
-+ // copy pcre2 output vector to uwsgi output vector
-+ pcre2_ovec = pcre2_get_ovector_pointer(match_data);
-+ for (i=0;i<(n+1)*2;i++) {
-+ ovec[i] = pcre2_ovec[i];
-+ }
-+#else
-+ if (n > 0) {
-+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, ovec, PCRE_OVECTOR_BYTESIZE(n));
-+#endif
- }
-- return pcre_exec((const pcre *) pattern, (const pcre_extra *) pattern_extra, subject, length, 0, 0, NULL, 0);
-+
-+#ifdef UWSGI_PCRE2
-+ pcre2_match_data_free(match_data);
-+
-+ return rc;
-+#else
-+ return pcre_exec((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, subject, length, 0, 0, NULL, 0);
-+#endif
- }
-
--int uwsgi_regexp_ovector(pcre * pattern, pcre_extra * pattern_extra) {
-+int uwsgi_regexp_ovector(const uwsgi_pcre *pattern) {
-
- int n;
--
-- if (pcre_fullinfo((const pcre *) pattern, (const pcre_extra *) pattern_extra, PCRE_INFO_CAPTURECOUNT, &n))
-+#ifdef UWSGI_PCRE2
-+ if (pcre2_pattern_info(pattern, PCRE2_INFO_CAPTURECOUNT, &n))
-+#else
-+ if (pcre_fullinfo((const pcre *) pattern->p, (const pcre_extra *) pattern->extra, PCRE_INFO_CAPTURECOUNT, &n))
-+#endif
- return 0;
-
- return n;
-@@ -66,7 +128,7 @@ char *uwsgi_regexp_apply_ovec(char *src,
- int dollar = 0;
-
- size_t dollars = n;
--
-+
- for(i=0;i<dst_n;i++) {
- if (dst[i] == '$') {
- dollars++;
---- a/core/routing.c
-+++ b/core/routing.c
-@@ -211,7 +211,7 @@ int uwsgi_apply_routes_do(struct uwsgi_r
- subject = *subject2 ;
- subject_len = *subject_len2;
- }
-- n = uwsgi_regexp_match_ovec(routes->pattern, routes->pattern_extra, subject, subject_len, routes->ovector[wsgi_req->async_id], routes->ovn[wsgi_req->async_id]);
-+ n = uwsgi_regexp_match_ovec(routes->pattern, subject, subject_len, routes->ovector[wsgi_req->async_id], routes->ovn[wsgi_req->async_id]);
- }
- else {
- int ret = routes->if_func(wsgi_req, routes);
-@@ -506,15 +506,15 @@ void uwsgi_fixup_routes(struct uwsgi_rou
-
- // fill them if needed... (this is an optimization for route with a static subject)
- if (ur->subject && ur->subject_len) {
-- if (uwsgi_regexp_build(ur->orig_route, &ur->pattern, &ur->pattern_extra)) {
-+ if (uwsgi_regexp_build(ur->orig_route, &ur->pattern)) {
- exit(1);
- }
-
- int i;
- for(i=0;i<uwsgi.cores;i++) {
-- ur->ovn[i] = uwsgi_regexp_ovector(ur->pattern, ur->pattern_extra);
-+ ur->ovn[i] = uwsgi_regexp_ovector(ur->pattern);
- if (ur->ovn[i] > 0) {
-- ur->ovector[i] = uwsgi_calloc(sizeof(int) * (3 * (ur->ovn[i] + 1)));
-+ ur->ovector[i] = uwsgi_calloc(sizeof(int) * PCRE_OVECTOR_BYTESIZE(ur->ovn[i]));
- }
- }
- }
-@@ -1484,38 +1484,47 @@ static int uwsgi_route_condition_regexp(
- ur->condition_ub[wsgi_req->async_id] = uwsgi_routing_translate(wsgi_req, ur, NULL, 0, ur->subject_str, semicolon - ur->subject_str);
- if (!ur->condition_ub[wsgi_req->async_id]) return -1;
-
-- pcre *pattern;
-- pcre_extra *pattern_extra;
-+ uwsgi_pcre *pattern;
- char *re = uwsgi_concat2n(semicolon+1, ur->subject_str_len - ((semicolon+1) - ur->subject_str), "", 0);
-- if (uwsgi_regexp_build(re, &pattern, &pattern_extra)) {
-+ if (uwsgi_regexp_build(re, &pattern)) {
- free(re);
- return -1;
- }
- free(re);
-
- // a condition has no initialized vectors, let's create them
-- ur->ovn[wsgi_req->async_id] = uwsgi_regexp_ovector(pattern, pattern_extra);
-+ ur->ovn[wsgi_req->async_id] = uwsgi_regexp_ovector(pattern);
- if (ur->ovn[wsgi_req->async_id] > 0) {
- ur->ovector[wsgi_req->async_id] = uwsgi_calloc(sizeof(int) * (3 * (ur->ovn[wsgi_req->async_id] + 1)));
- }
-
-- if (uwsgi_regexp_match_ovec(pattern, pattern_extra, ur->condition_ub[wsgi_req->async_id]->buf, ur->condition_ub[wsgi_req->async_id]->pos, ur->ovector[wsgi_req->async_id], ur->ovn[wsgi_req->async_id] ) >= 0) {
-- pcre_free(pattern);
-+ if (uwsgi_regexp_match_ovec(pattern, ur->condition_ub[wsgi_req->async_id]->buf, ur->condition_ub[wsgi_req->async_id]->pos, ur->ovector[wsgi_req->async_id], ur->ovn[wsgi_req->async_id] ) >= 0) {
-+#ifdef UWSGI_PCRE2
-+ pcre2_code_free(pattern);
-+#else
-+ pcre_free(pattern->p);
- #ifdef PCRE_STUDY_JIT_COMPILE
-- pcre_free_study(pattern_extra);
-+ pcre_free_study(pattern->extra);
- #else
-- pcre_free(pattern_extra);
-+ pcre_free(pattern->extra);
-+#endif
-+ free(pattern);
- #endif
- return 1;
- }
-
-- pcre_free(pattern);
-+#ifdef UWSGI_PCRE2
-+ pcre2_code_free(pattern);
-+#else
-+ pcre_free(pattern->p);
- #ifdef PCRE_STUDY_JIT_COMPILE
-- pcre_free_study(pattern_extra);
-+ pcre_free_study(pattern->extra);
- #else
-- pcre_free(pattern_extra);
-+ pcre_free(pattern->extra);
- #endif
-- return 0;
-+ free(pattern);
-+#endif
-+ return 0;
- }
-
- static int uwsgi_route_condition_empty(struct wsgi_request *wsgi_req, struct uwsgi_route *ur) {
---- a/core/ssl.c
-+++ b/core/ssl.c
-@@ -145,10 +145,10 @@ static int uwsgi_sni_cb(SSL *ssl, int *a
-
- if (uwsgi.subscription_dotsplit) goto end;
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- struct uwsgi_regexp_list *url = uwsgi.sni_regexp;
- while(url) {
-- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, (char *)servername, servername_len) >= 0) {
-+ if (uwsgi_regexp_match(url->pattern, (char *)servername, servername_len) >= 0) {
- SSL_set_SSL_CTX(ssl, url->custom_ptr);
- return SSL_TLSEXT_ERR_OK;
- }
-@@ -621,7 +621,7 @@ void uwsgi_opt_sni(char *opt, char *valu
- return;
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- if (!strcmp(opt, "sni-regexp")) {
- struct uwsgi_regexp_list *url = uwsgi_regexp_new_list(&uwsgi.sni_regexp, v);
- url->custom_ptr = ctx;
-@@ -630,7 +630,7 @@ void uwsgi_opt_sni(char *opt, char *valu
- #endif
- struct uwsgi_string_list *usl = uwsgi_string_new_list(&uwsgi.sni, v);
- usl->custom_ptr = ctx;
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- }
- #endif
-
---- a/core/static.c
-+++ b/core/static.c
-@@ -35,11 +35,11 @@ int uwsgi_static_want_gzip(struct wsgi_r
- usl = usl->next;
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- // check for regexp
- struct uwsgi_regexp_list *url = uwsgi.static_gzip;
- while(url) {
-- if (uwsgi_regexp_match(url->pattern, url->pattern_extra, filename, *filename_len) >= 0) {
-+ if (uwsgi_regexp_match(url->pattern, filename, *filename_len) >= 0) {
- goto gzip;
- }
- url = url->next;
-@@ -216,7 +216,7 @@ int uwsgi_add_expires_type(struct wsgi_r
- return 0;
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- int uwsgi_add_expires(struct wsgi_request *wsgi_req, char *filename, int filename_len, struct stat *st) {
-
- struct uwsgi_dyn_dict *udd = uwsgi.static_expires;
-@@ -225,7 +225,7 @@ int uwsgi_add_expires(struct wsgi_reques
- char expires[31];
-
- while (udd) {
-- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, filename, filename_len) >= 0) {
-+ if (uwsgi_regexp_match(udd->pattern, filename, filename_len) >= 0) {
- int delta = uwsgi_str_num(udd->value, udd->vallen);
- int size = uwsgi_http_date(now + delta, expires);
- if (size > 0) {
-@@ -238,7 +238,7 @@ int uwsgi_add_expires(struct wsgi_reques
-
- udd = uwsgi.static_expires_mtime;
- while (udd) {
-- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, filename, filename_len) >= 0) {
-+ if (uwsgi_regexp_match(udd->pattern, filename, filename_len) >= 0) {
- int delta = uwsgi_str_num(udd->value, udd->vallen);
- int size = uwsgi_http_date(st->st_mtime + delta, expires);
- if (size > 0) {
-@@ -260,7 +260,7 @@ int uwsgi_add_expires_path_info(struct w
- char expires[31];
-
- while (udd) {
-- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
-+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
- int delta = uwsgi_str_num(udd->value, udd->vallen);
- int size = uwsgi_http_date(now + delta, expires);
- if (size > 0) {
-@@ -273,7 +273,7 @@ int uwsgi_add_expires_path_info(struct w
-
- udd = uwsgi.static_expires_path_info_mtime;
- while (udd) {
-- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
-+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->path_info, wsgi_req->path_info_len) >= 0) {
- int delta = uwsgi_str_num(udd->value, udd->vallen);
- int size = uwsgi_http_date(st->st_mtime + delta, expires);
- if (size > 0) {
-@@ -295,7 +295,7 @@ int uwsgi_add_expires_uri(struct wsgi_re
- char expires[31];
-
- while (udd) {
-- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
-+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
- int delta = uwsgi_str_num(udd->value, udd->vallen);
- int size = uwsgi_http_date(now + delta, expires);
- if (size > 0) {
-@@ -308,7 +308,7 @@ int uwsgi_add_expires_uri(struct wsgi_re
-
- udd = uwsgi.static_expires_uri_mtime;
- while (udd) {
-- if (uwsgi_regexp_match(udd->pattern, udd->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
-+ if (uwsgi_regexp_match(udd->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
- int delta = uwsgi_str_num(udd->value, udd->vallen);
- int size = uwsgi_http_date(st->st_mtime + delta, expires);
- if (size > 0) {
-@@ -507,7 +507,7 @@ int uwsgi_real_file_serve(struct wsgi_re
- if (uwsgi_response_prepare_headers(wsgi_req, "200 OK", 6)) return -1;
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- uwsgi_add_expires(wsgi_req, real_filename, real_filename_len, st);
- uwsgi_add_expires_path_info(wsgi_req, st);
- uwsgi_add_expires_uri(wsgi_req, st);
---- a/core/utils.c
-+++ b/core/utils.c
-@@ -2301,7 +2301,7 @@ struct uwsgi_string_list *uwsgi_string_n
- return uwsgi_string;
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- struct uwsgi_regexp_list *uwsgi_regexp_custom_new_list(struct uwsgi_regexp_list **list, char *value, char *custom) {
-
- struct uwsgi_regexp_list *url = *list, *old_url;
-@@ -2320,7 +2320,7 @@ struct uwsgi_regexp_list *uwsgi_regexp_c
- old_url->next = url;
- }
-
-- if (uwsgi_regexp_build(value, &url->pattern, &url->pattern_extra)) {
-+ if (uwsgi_regexp_build(value, &url->pattern)) {
- exit(1);
- }
- url->next = NULL;
-@@ -2333,14 +2333,13 @@ struct uwsgi_regexp_list *uwsgi_regexp_c
-
- int uwsgi_regexp_match_pattern(char *pattern, char *str) {
-
-- pcre *regexp;
-- pcre_extra *regexp_extra;
-+ uwsgi_pcre *regexp;
-
-- if (uwsgi_regexp_build(pattern, ®exp, ®exp_extra))
-+ if (uwsgi_regexp_build(pattern, ®exp))
- return 1;
-- return !uwsgi_regexp_match(regexp, regexp_extra, str, strlen(str));
--}
-
-+ return !uwsgi_regexp_match(regexp, str, strlen(str));
-+}
-
- #endif
-
---- a/core/uwsgi.c
-+++ b/core/uwsgi.c
-@@ -130,7 +130,7 @@ static struct uwsgi_option uwsgi_base_op
- {"if-hostname", required_argument, 0, "(opt logic) check for hostname", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_hostname, UWSGI_OPT_IMMEDIATE},
- {"if-not-hostname", required_argument, 0, "(opt logic) check for hostname", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_not_hostname, UWSGI_OPT_IMMEDIATE},
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- {"if-hostname-match", required_argument, 0, "(opt logic) try to match hostname against a regular expression", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_hostname_match, UWSGI_OPT_IMMEDIATE},
- {"if-not-hostname-match", required_argument, 0, "(opt logic) try to match hostname against a regular expression", uwsgi_opt_logic, (void *) uwsgi_logic_opt_if_not_hostname_match, UWSGI_OPT_IMMEDIATE},
- #endif
-@@ -548,7 +548,7 @@ static struct uwsgi_option uwsgi_base_op
- {"ksm", optional_argument, 0, "enable Linux KSM", uwsgi_opt_set_int, &uwsgi.linux_ksm, 0},
- #endif
- #endif
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- {"pcre-jit", no_argument, 0, "enable pcre jit (if available)", uwsgi_opt_pcre_jit, NULL, UWSGI_OPT_IMMEDIATE},
- #endif
- {"never-swap", no_argument, 0, "lock all memory pages avoiding swapping", uwsgi_opt_true, &uwsgi.never_swap, 0},
-@@ -679,7 +679,7 @@ static struct uwsgi_option uwsgi_base_op
- {"ssl-enable-sslv3", no_argument, 0, "enable SSLv3 (insecure)", uwsgi_opt_true, &uwsgi.sslv3, 0},
- {"ssl-enable-tlsv1", no_argument, 0, "enable TLSv1 (insecure)", uwsgi_opt_true, &uwsgi.tlsv1, 0},
- {"ssl-option", required_argument, 0, "set a raw ssl option (numeric value)", uwsgi_opt_add_string_list, &uwsgi.ssl_options, 0},
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- {"sni-regexp", required_argument, 0, "add an SNI-governed SSL context (the key is a regexp)", uwsgi_opt_sni, NULL, 0},
- #endif
- {"ssl-tmp-dir", required_argument, 0, "store ssl-related temp files in the specified directory", uwsgi_opt_set_str, &uwsgi.ssl_tmp_dir, 0},
-@@ -715,7 +715,7 @@ static struct uwsgi_option uwsgi_base_op
- {"log-req-encoder", required_argument, 0, "add an item in the log req encoder chain", uwsgi_opt_add_string_list, &uwsgi.requested_log_req_encoders, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
-
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- {"log-drain", required_argument, 0, "drain (do not show) log lines matching the specified regexp", uwsgi_opt_add_regexp_list, &uwsgi.log_drain_rules, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
- {"log-filter", required_argument, 0, "show only log lines matching the specified regexp", uwsgi_opt_add_regexp_list, &uwsgi.log_filter_rules, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
- {"log-route", required_argument, 0, "log to the specified named logger if regexp applied on logline matches", uwsgi_opt_add_regexp_custom_list, &uwsgi.log_route, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
-@@ -736,7 +736,7 @@ static struct uwsgi_option uwsgi_base_op
- {"alarm-lq", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER},
- {"alarm-listen-queue", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER},
- {"listen-queue-alarm", required_argument, 0, "raise the specified alarm when the socket backlog queue is full", uwsgi_opt_add_string_list, &uwsgi.alarm_backlog, UWSGI_OPT_MASTER},
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- {"log-alarm", required_argument, 0, "raise the specified alarm when a log line matches the specified regexp, syntax: <alarm>[,alarm...] <regexp>", uwsgi_opt_add_string_list, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
- {"alarm-log", required_argument, 0, "raise the specified alarm when a log line matches the specified regexp, syntax: <alarm>[,alarm...] <regexp>", uwsgi_opt_add_string_list, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
- {"not-log-alarm", required_argument, 0, "skip the specified alarm when a log line matches the specified regexp, syntax: <alarm>[,alarm...] <regexp>", uwsgi_opt_add_string_list_custom, &uwsgi.alarm_logs_list, UWSGI_OPT_MASTER | UWSGI_OPT_LOG_MASTER},
-@@ -915,7 +915,7 @@ static struct uwsgi_option uwsgi_base_op
- {"static-expires-type", required_argument, 0, "set the Expires header based on content type", uwsgi_opt_add_dyn_dict, &uwsgi.static_expires_type, UWSGI_OPT_MIME},
- {"static-expires-type-mtime", required_argument, 0, "set the Expires header based on content type and file mtime", uwsgi_opt_add_dyn_dict, &uwsgi.static_expires_type_mtime, UWSGI_OPT_MIME},
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- {"static-expires", required_argument, 0, "set the Expires header based on filename regexp", uwsgi_opt_add_regexp_dyn_dict, &uwsgi.static_expires, UWSGI_OPT_MIME},
- {"static-expires-mtime", required_argument, 0, "set the Expires header based on filename regexp and file mtime", uwsgi_opt_add_regexp_dyn_dict, &uwsgi.static_expires_mtime, UWSGI_OPT_MIME},
-
-@@ -2424,7 +2424,7 @@ void uwsgi_setup(int argc, char *argv[],
- }
-
- uwsgi_log_initial("clock source: %s\n", uwsgi.clock->name);
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- if (uwsgi.pcre_jit) {
- uwsgi_log_initial("pcre jit enabled\n");
- }
-@@ -4186,7 +4186,7 @@ void uwsgi_opt_add_string_list_custom(ch
- usl->custom = 1;
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- void uwsgi_opt_add_regexp_list(char *opt, char *value, void *list) {
- struct uwsgi_regexp_list **ptr = (struct uwsgi_regexp_list **) list;
- uwsgi_regexp_new_list(ptr, value);
-@@ -4452,7 +4452,7 @@ void uwsgi_opt_add_dyn_dict(char *opt, c
-
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- void uwsgi_opt_add_regexp_dyn_dict(char *opt, char *value, void *dict) {
-
- char *space = strchr(value, ' ');
-@@ -4467,7 +4467,7 @@ void uwsgi_opt_add_regexp_dyn_dict(char
-
- char *regexp = uwsgi_concat2n(value, space - value, "", 0);
-
-- if (uwsgi_regexp_build(regexp, &new_udd->pattern, &new_udd->pattern_extra)) {
-+ if (uwsgi_regexp_build(regexp, &new_udd->pattern)) {
- exit(1);
- }
-
---- a/uwsgi.h
-+++ b/uwsgi.h
-@@ -438,8 +438,26 @@ struct uwsgi_lock_ops {
- #define uwsgi_wait_read_req(x) uwsgi.wait_read_hook(x->fd, uwsgi.socket_timeout) ; x->switches++
- #define uwsgi_wait_write_req(x) uwsgi.wait_write_hook(x->fd, uwsgi.socket_timeout) ; x->switches++
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
-+#ifdef UWSGI_PCRE2
-+
-+#define PCRE2_CODE_UNIT_WIDTH 8
-+#include <pcre2.h>
-+#define PCRE_OVECTOR_BYTESIZE(n) (n+1)*2
-+
-+typedef pcre2_code uwsgi_pcre;
-+
-+#else
-+
- #include <pcre.h>
-+#define PCRE_OVECTOR_BYTESIZE(n) (n+1)*3
-+
-+typedef struct {
-+ pcre *p;
-+ pcre_extra *extra;
-+} uwsgi_pcre;
-+
-+#endif
- #endif
-
- struct uwsgi_dyn_dict {
-@@ -455,9 +473,8 @@ struct uwsgi_dyn_dict {
- struct uwsgi_dyn_dict *prev;
- struct uwsgi_dyn_dict *next;
-
--#ifdef UWSGI_PCRE
-- pcre *pattern;
-- pcre_extra *pattern_extra;
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
-+ uwsgi_pcre *pattern;
- #endif
-
- };
-@@ -468,11 +485,10 @@ struct uwsgi_hook {
- struct uwsgi_hook *next;
- };
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- struct uwsgi_regexp_list {
-
-- pcre *pattern;
-- pcre_extra *pattern_extra;
-+ uwsgi_pcre *pattern;
-
- uint64_t custom;
- char *custom_str;
-@@ -1089,11 +1105,11 @@ struct uwsgi_plugin {
- void (*post_uwsgi_fork) (int);
- };
-
--#ifdef UWSGI_PCRE
--int uwsgi_regexp_build(char *, pcre **, pcre_extra **);
--int uwsgi_regexp_match(pcre *, pcre_extra *, char *, int);
--int uwsgi_regexp_match_ovec(pcre *, pcre_extra *, char *, int, int *, int);
--int uwsgi_regexp_ovector(pcre *, pcre_extra *);
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
-+int uwsgi_regexp_build(char *, uwsgi_pcre **);
-+int uwsgi_regexp_match(uwsgi_pcre *, const char *, int);
-+int uwsgi_regexp_match_ovec(uwsgi_pcre *, const char *, int, int *, int);
-+int uwsgi_regexp_ovector(const uwsgi_pcre *);
- char *uwsgi_regexp_apply_ovec(char *, int, char *, int, int *, int);
-
- int uwsgi_regexp_match_pattern(char *pattern, char *str);
-@@ -1182,8 +1198,7 @@ struct uwsgi_spooler {
-
- struct uwsgi_route {
-
-- pcre *pattern;
-- pcre_extra *pattern_extra;
-+ uwsgi_pcre *pattern;
-
- char *orig_route;
-
-@@ -1292,15 +1307,14 @@ struct uwsgi_alarm_fd {
-
- struct uwsgi_alarm_fd *uwsgi_add_alarm_fd(int, char *, size_t, char *, size_t);
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- struct uwsgi_alarm_ll {
- struct uwsgi_alarm_instance *alarm;
- struct uwsgi_alarm_ll *next;
- };
-
- struct uwsgi_alarm_log {
-- pcre *pattern;
-- pcre_extra *pattern_extra;
-+ uwsgi_pcre *pattern;
- int negate;
- struct uwsgi_alarm_ll *alarms;
- struct uwsgi_alarm_log *next;
-@@ -2234,7 +2248,7 @@ struct uwsgi_server {
- struct uwsgi_string_list *requested_log_encoders;
- struct uwsgi_string_list *requested_log_req_encoders;
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- int pcre_jit;
- struct uwsgi_regexp_list *log_drain_rules;
- struct uwsgi_regexp_list *log_filter_rules;
-@@ -2316,7 +2330,7 @@ struct uwsgi_server {
- int static_gzip_all;
- struct uwsgi_string_list *static_gzip_dir;
- struct uwsgi_string_list *static_gzip_ext;
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- struct uwsgi_regexp_list *static_gzip;
- #endif
-
-@@ -2715,7 +2729,7 @@ struct uwsgi_server {
- int ssl_sessions_timeout;
- struct uwsgi_cache *ssl_sessions_cache;
- char *ssl_tmp_dir;
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- struct uwsgi_regexp_list *sni_regexp;
- #endif
- struct uwsgi_string_list *sni;
-@@ -3584,7 +3598,7 @@ void uwsgi_shutdown_all_sockets(void);
- void uwsgi_close_all_unshared_sockets(void);
-
- struct uwsgi_string_list *uwsgi_string_new_list(struct uwsgi_string_list **, char *);
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- struct uwsgi_regexp_list *uwsgi_regexp_custom_new_list(struct uwsgi_regexp_list **, char *, char *);
- #define uwsgi_regexp_new_list(x, y) uwsgi_regexp_custom_new_list(x, y, NULL);
- #endif
-@@ -3838,7 +3852,7 @@ void uwsgi_opt_add_addr_list(char *, cha
- void uwsgi_opt_add_string_list_custom(char *, char *, void *);
- void uwsgi_opt_add_dyn_dict(char *, char *, void *);
- void uwsgi_opt_binary_append_data(char *, char *, void *);
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- void uwsgi_opt_pcre_jit(char *, char *, void *);
- void uwsgi_opt_add_regexp_dyn_dict(char *, char *, void *);
- void uwsgi_opt_add_regexp_list(char *, char *, void *);
---- a/.github/workflows/compile-test.yml
-+++ b/.github/workflows/compile-test.yml
-@@ -9,6 +9,10 @@ on:
- jobs:
- build:
-
-+ strategy:
-+ matrix:
-+ libpcre: [libpcre3-dev, libpcre2-dev]
-+
- runs-on: ubuntu-20.04
-
- steps:
-@@ -20,7 +24,7 @@ jobs:
- run: |
- sudo apt update -qq
- sudo apt install --no-install-recommends -qqyf python3.8-dev \
-- libxml2-dev libpcre3-dev libcap2-dev \
-+ libxml2-dev ${{ matrix.libpcre }} libcap2-dev \
- libargon2-0-dev libsodium-dev \
- php7.4-dev libphp7.4-embed \
- liblua5.1-0-dev ruby2.7-dev \
---- a/.github/workflows/test.yml
-+++ b/.github/workflows/test.yml
-@@ -21,7 +21,7 @@ jobs:
- run: |
- sudo apt update -qq
- sudo apt install --no-install-recommends -qqyf python${{ matrix.python-version }}-dev \
-- libpcre3-dev libjansson-dev libcap2-dev \
-+ libpcre2-dev libjansson-dev libcap2-dev \
- curl check
- - name: Install distutils
- if: contains(fromJson('["3.6","3.7","3.8","3.9","3.10","3.11"]'), matrix.python-version)
---- a/plugins/php/php_plugin.c
-+++ b/plugins/php/php_plugin.c
-@@ -16,7 +16,7 @@ struct uwsgi_php {
- struct uwsgi_string_list *index;
- struct uwsgi_string_list *set;
- struct uwsgi_string_list *append_config;
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- struct uwsgi_regexp_list *app_bypass;
- #endif
- struct uwsgi_string_list *vars;
-@@ -63,7 +63,7 @@ struct uwsgi_option uwsgi_php_options[]
- {"php-fallback", required_argument, 0, "run the specified php script when the requested one does not exist", uwsgi_opt_set_str, &uphp.fallback, 0},
- {"php-fallback2", required_argument, 0, "run the specified php script relative to the document root when the requested one does not exist", uwsgi_opt_set_str, &uphp.fallback2, 0},
- {"php-fallback-qs", required_argument, 0, "php-fallback with QUERY_STRING set", uwsgi_opt_set_str, &uphp.fallback_qs, 0},
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- {"php-app-bypass", required_argument, 0, "if the regexp matches the uri the --php-app is bypassed", uwsgi_opt_add_regexp_list, &uphp.app_bypass, 0},
- #endif
- {"php-var", required_argument, 0, "add/overwrite a CGI variable at each request", uwsgi_opt_add_string_list, &uphp.vars, 0},
-@@ -810,10 +810,14 @@ int uwsgi_php_request(struct wsgi_reques
- wsgi_req->document_root_len = strlen(wsgi_req->document_root);
-
- if (uphp.app) {
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- struct uwsgi_regexp_list *bypass = uphp.app_bypass;
- while (bypass) {
-+#ifdef UWSGI_PCRE2
-+ if (uwsgi_regexp_match(bypass->pattern, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
-+#else
- if (uwsgi_regexp_match(bypass->pattern, bypass->pattern_extra, wsgi_req->uri, wsgi_req->uri_len) >= 0) {
-+#endif
- goto oldstyle;
- }
- bypass = bypass->next;
-@@ -849,7 +853,7 @@ appready:
- goto secure2;
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- oldstyle:
- #endif
-
---- a/core/config.c
-+++ b/core/config.c
-@@ -314,7 +314,7 @@ int uwsgi_logic_opt_if_not_hostname(char
- return 0;
- }
-
--#ifdef UWSGI_PCRE
-+#if defined(UWSGI_PCRE) || defined(UWSGI_PCRE2)
- int uwsgi_logic_opt_if_hostname_match(char *key, char *value) {
- if (uwsgi_regexp_match_pattern(uwsgi.logic_opt_data, uwsgi.hostname)) {
- add_exported_option(key, uwsgi_substitute(value, "%(_)", uwsgi.logic_opt_data), 0);
include $(TOPDIR)/rules.mk
PKG_NAME:=v2ray-core
-PKG_VERSION:=5.15.1
+PKG_VERSION:=5.15.3
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/v2fly/v2ray-core/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=461a65a1675f17ad95a2a5ddf0b016247a34aa376ed1738c143e7c6603ab4abd
+PKG_HASH:=32b325e54ee93fb3563c33d3c097592aa857370055d8ef1c50fd2387678843df
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE
include $(TOPDIR)/rules.mk
PKG_NAME:=v2ray-geodata
-PKG_RELEASE:=r1
+PKG_RELEASE:=1
PKG_LICENSE_FILES:=LICENSE
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
include $(INCLUDE_DIR)/package.mk
-GEOIP_VER:=202404040040
+GEOIP_VER:=202404110039
GEOIP_FILE:=geoip.dat.$(GEOIP_VER)
define Download/geoip
URL:=https://github.com/v2fly/geoip/releases/download/$(GEOIP_VER)/
URL_FILE:=geoip.dat
FILE:=$(GEOIP_FILE)
- HASH:=492a0af649accb4e9ae91f80a272e295ce6444489f6d85b389cdc635234c6ddf
+ HASH:=d4a2e3666139dc98b76f1b0bc7db6b9dd9b35a5d2b0aecb5943e4211c1ebd026
endef
-GEOSITE_VER:=20240403140129
+GEOSITE_VER:=20240410101316
GEOSITE_FILE:=dlc.dat.$(GEOSITE_VER)
define Download/geosite
URL:=https://github.com/v2fly/domain-list-community/releases/download/$(GEOSITE_VER)/
URL_FILE:=dlc.dat
FILE:=$(GEOSITE_FILE)
- HASH:=bcae4b8ff409117b8f24e6c62c0d5c8c9d4dca75d335e12f8ac3a22331a81c52
+ HASH:=e74d3da9d4db57fba399f9093ffabbc6630a7cf10965ebcde07725a0f00e24d7
endef
-GEOSITE_IRAN_VER:=202404010028
+GEOSITE_IRAN_VER:=202404150255
GEOSITE_IRAN_FILE:=iran.dat.$(GEOSITE_IRAN_VER)
define Download/geosite-ir
URL:=https://github.com/bootmortis/iran-hosted-domains/releases/download/$(GEOSITE_IRAN_VER)/
URL_FILE:=iran.dat
FILE:=$(GEOSITE_IRAN_FILE)
- HASH:=322d972bfb3f6bb5d960c6d7e14a732d75f0a32ad59ce609a1a9843eef51e257
+ HASH:=7b29fd53c2a25c6d79eeb6f76cc4b0a0770fe00eee1ea4d7a4a9f77d49ca44ad
endef
define Package/v2ray-geodata/template
$(call Package/v2ray-geodata/template)
TITLE:=GeoIP List for V2Ray
PROVIDES:=v2ray-geodata xray-geodata xray-geoip
- VERSION:=$(GEOIP_VER)-$(PKG_RELEASE)
+ VERSION:=$(GEOIP_VER)-r$(PKG_RELEASE)
LICENSE:=CC-BY-SA-4.0
endef
$(call Package/v2ray-geodata/template)
TITLE:=Geosite List for V2Ray
PROVIDES:=v2ray-geodata xray-geodata xray-geosite
- VERSION:=$(GEOSITE_VER)-$(PKG_RELEASE)
+ VERSION:=$(GEOSITE_VER)-r$(PKG_RELEASE)
LICENSE:=MIT
endef
$(call Package/v2ray-geodata/template)
TITLE:=Iran Geosite List for V2Ray
PROVIDES:=xray-geosite-ir
- VERSION:=$(GEOSITE_IRAN_VER)-$(PKG_RELEASE)
+ VERSION:=$(GEOSITE_IRAN_VER)-r$(PKG_RELEASE)
LICENSE:=MIT
endef
include $(TOPDIR)/rules.mk
PKG_NAME:=wget
-PKG_VERSION:=1.21.4
+PKG_VERSION:=1.24.5
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=@GNU/$(PKG_NAME)
-PKG_HASH:=81542f5cefb8faacc39bbbc6c82ded80e3e4a88505ae72ea51df27525bcde04c
+PKG_HASH:=fa2dc35bab5184ecbc46a9ef83def2aaaa3f4c9f3c97d4bd19dcb07d4da637de
PKG_MAINTAINER:=
PKG_LICENSE:=GPL-3.0-or-later
--with-kbuild="$(LINUX_DIR)" \
--with-xtlibdir="/usr/lib/iptables"
-ifdef CONFIG_EXTERNAL_TOOLCHAIN
-MAKE_FLAGS:= \
- $(patsubst ARCH=%,ARCH=$(LINUX_KARCH),$(MAKE_FLAGS)) \
- DEPMOD="/bin/true"
-
-MAKE_INSTALL_FLAGS:= \
- $(patsubst ARCH=%,ARCH=$(LINUX_KARCH),$(MAKE_FLAGS)) \
- DEPMOD="/bin/true"
-else
define Build/Compile
+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
$(KERNEL_MAKE_FLAGS) \
DEPMOD="/bin/true" \
install
endef
-endif
# 1: extension/module suffix used in package name
# 2: extension/module display name used in package title/description
include $(TOPDIR)/rules.mk
PKG_NAME:=mpg123
-PKG_VERSION:=1.32.5
+PKG_VERSION:=1.32.6
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=@SF/mpg123
-PKG_HASH:=af908cdf6cdb6544b97bc706a799f79894e69468af5881bf454a0ebb9171ed63
+PKG_HASH:=ccdd1d0abc31d73d8b435fc658c79049d0a905b30669b6a42a03ad169dc609e6
PKG_MAINTAINER:=Zoltan HERPAI <wigyori@uid0.hu>
PKG_LICENSE_FILES:=COPYING
PKG_NAME:=shairport-sync
PKG_VERSION:=4.3.2
-PKG_RELEASE:=3
+PKG_RELEASE:=5
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/mikebrady/shairport-sync/tar.gz/$(PKG_VERSION)?
SECTION:=sound
CATEGORY:=Sound
TITLE:=AirPlay compatible audio player
- DEPENDS:=@AUDIO_SUPPORT +libpthread +alsa-lib +libconfig +libdaemon +libpopt +libplist +libsodium +libgcrypt +libffmpeg-full +libuuid +nqptp
+ DEPENDS:=@AUDIO_SUPPORT +libpthread +alsa-lib +libconfig +libdaemon +libpopt +libplist +libsodium +libgcrypt +libffmpeg-full +libuuid +nqptp +libmosquitto
PROVIDES:=shairport-sync
URL:=https://github.com/mikebrady/shairport-sync
endef
--with-libdaemon \
--with-airplay-2 \
--with-pipe \
+ --with-mqtt-client \
--with-metadata
ifeq ($(BUILD_VARIANT),openssl)
# Session Control
option sesctl_run_before_play_begins '' # /etc/shairport-sync-start.sh
option sesctl_run_after_play_ends '' # /etc/shairport-sync-stop.sh
+ option sesctl_run_before_entering_active_state '' # /path/to/script.sh
+ option sesctl_run_after_exiting_active_state '' # /path/to/script.sh
+ option sesctl_run_if_an_unfixable_error_is_detected '' # /path/to/script.sh
+ option sesctl_run_when_volume_is_set '' # /path/to/script.sh
option sesctl_wait_for_completion '' # no/yes
option sesctl_session_interruption '' # no/yes
option sesctl_session_timeout '' # 120
# Stdout
option stdout_latency_offset '' # 0
option stdout_buffer_length '' # 44100
+ # MQTT: https://github.com/mikebrady/shairport-sync/blob/master/MQTT.md
+ option mqtt_enabled 'no'
+ option mqtt_hostname '127.0.0.1'
+ option mqtt_port '1883'
+ option mqtt_username '' # empty = no authentication
+ option mqtt_password '' # empty = no authentication
+ option mqtt_topic 'shairport'
+ option mqtt_publish_raw 'no'
+ option mqtt_publish_parsed 'no'
+ option mqtt_publish_cover 'no'
+ option mqtt_enable_remote 'no'
# AO
option ao_latency_offset '' # 0
option ao_buffer_length '' # 44100
printf "{\n"
append_str "$cfg" sesctl_run_before_play_begins "run_this_before_play_begins"
append_str "$cfg" sesctl_run_after_play_ends "run_this_after_play_ends"
+ append_str "$cfg" sesctl_run_before_entering_active_state "run_this_before_entering_active_state"
+ append_str "$cfg" sesctl_run_after_exiting_active_state "run_this_after_exiting_active_state"
+ append_str "$cfg" sesctl_run_if_an_unfixable_error_is_detected "run_this_if_an_unfixable_error_is_detected"
+ append_str "$cfg" sesctl_run_when_volume_is_set "run_this_when_volume_is_set"
append_str "$cfg" sesctl_wait_for_completion "wait_for_completion"
append_str "$cfg" sesctl_session_interruption "allow_session_interruption"
append_num "$cfg" sesctl_session_timeout "session_timeout"
append_num "$cfg" stdout_buffer_length "audio_backend_buffer_desired_length"
printf "};\n\n"
+ # MQTT
+ printf "mqtt =\n"
+ printf "{\n"
+ append_str "$cfg" mqtt_enabled "enabled"
+ append_str "$cfg" mqtt_hostname "hostname"
+ append_num "$cfg" mqtt_port "port"
+ append_str "$cfg" mqtt_username "username"
+ append_str "$cfg" mqtt_password "password"
+ append_str "$cfg" mqtt_topic "topic"
+ append_str "$cfg" mqtt_publish_raw "publish_raw"
+ append_str "$cfg" mqtt_publish_parsed "publish_parsed"
+ append_str "$cfg" mqtt_publish_cover "publish_cover"
+ append_str "$cfg" mqtt_enable_remote "enable_remote"
+ printf "};\n\n"
+
# AO audio back end
printf "ao =\n"
printf "{\n"
PKG_NAME:=cni-plugins-nft
PKG_VERSION:=1.0.12
-PKG_RELEASE:=1
+PKG_RELEASE:=2
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/greenpau/cni-plugins/archive/v$(PKG_VERSION)
-PKG_HASH:=51c4b41c61f46c7dfc691d52dba301e7d8189589e1a625772f761ea3ae804fb3
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_SOURCE_URL:=https://github.com/greenpau/cni-plugins
+PKG_MIRROR_HASH:=3bb778c8f48261eaaee8b14b9219f1730967ef16158b5b540d45da54ef580e53
PKG_MAINTAINER:=Oskari Rauta <oskari.rauta@gmail.com>
PKG_LICENSE:=Apache-2.0
include $(INCLUDE_DIR)/package.mk
include ../../lang/golang/golang-package.mk
-PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
-
define Package/cni-plugins-nft
SECTION:=utils
CATEGORY:=Utilities
PKG_NAME:=cni-plugins
PKG_VERSION:=1.1.1
-PKG_RELEASE:=1
-PKG_LICENSE:=Apache-2.0
-PKG_LICENSE_FILES:=LICENSE
+PKG_RELEASE:=2
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/containernetworking/plugins/archive/v$(PKG_VERSION)
-PKG_HASH:=c86c44877c47f69cd23611e22029ab26b613f620195b76b3ec20f589367a7962
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_SOURCE_URL:=https://github.com/containernetworking/plugins
+PKG_MIRROR_HASH:=4372700fa1fb159235586432800f228d92246d13571f5a29aa9bc58291eac6d9
PKG_MAINTAINER:=Daniel Golle <daniel@makrotopia.org>, Paul Spooren <mail@aparcar.org>
+PKG_LICENSE:=Apache-2.0
+PKG_LICENSE_FILES:=LICENSE
PKG_BUILD_DEPENDS:=golang/host
PKG_BUILD_PARALLEL:=1
include $(INCLUDE_DIR)/package.mk
include ../../lang/golang/golang-package.mk
-PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
-
define Package/cni-plugins
SECTION:=utils
CATEGORY:=Utilities
+kmod-veth \
+tini \
+uci-firewall \
- @!(mips||mipsel)
+ @!(mips||mips64||mipsel)
USERID:=docker:docker
MENU:=1
endef
include $(TOPDIR)/rules.mk
PKG_NAME:=eza
-PKG_VERSION:=0.18.9
+PKG_VERSION:=0.18.11
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/eza-community/eza/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=917736591429813ef4cfce47bb2d3d87e9f1e142b2a6ebf74a345c3a15894918
+PKG_HASH:=92d810c36ac67038e2ed3c421087de8793eb0b9de332c9239096df9d52eb30e3
PKG_MAINTAINER:=Jonas Jelonek <jelonek.jonas@gmail.com>
PKG_LICENSE:=MIT
include $(TOPDIR)/rules.mk
PKG_NAME:=fontconfig
-PKG_VERSION:=2.13.94
-PKG_RELEASE:=3
+PKG_VERSION:=2.15.0
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=https://fontconfig.org/release/
-PKG_HASH:=a5f052cb73fd479ffb7b697980510903b563bbb55b8f7a2b001fcfb94026003c
+PKG_SOURCE_URL:=https://www.freedesktop.org/software/fontconfig/release/
+PKG_HASH:=63a0658d0e06e0fa886106452b58ef04f21f58202ea02a94c39de0d3335d7c0e
PKG_MAINTAINER:=
PKG_LICENSE:=
SUBMENU:=Font-Utils
TITLE:=fontconfig
DEPENDS:=+libpthread +libexpat +libfreetype
- URL:=http://fontconfig.org/
+ URL:=https://www.freedesktop.org/wiki/Software/fontconfig/
endef
MESON_ARGS += \
+++ /dev/null
-Revert partially the upstream commit ae9ac2a1
-
- Subject: [PATCH] meson: fix cross-compilation issues with gperf header file preprocessing
-
- Pass c_args to the compiler when preprocessing the gperf header file,
- they might contain important bits without which compilation/preprocessing
- might fail (e.g. with clang on Android). cc.cmd_array() does not include
- the c_args and we can't easily look them up from the meson.build file, so
- we have to retrieve from the introspection info.
-
- This is basically the Meson equivalent to commit 57103773.
-
-Revert the host_cargs related part of the patch
-
-
---- a/src/cutout.py
-+++ b/src/cutout.py
-@@ -24,7 +24,7 @@ if __name__== '__main__':
- break
-
- cpp = args[1]
-- ret = subprocess.run(cpp + host_cargs + [args[0].input], stdout=subprocess.PIPE, check=True)
-+ ret = subprocess.run(cpp + [args[0].input], stdout=subprocess.PIPE, check=True)
-
- stdout = ret.stdout.decode('utf8')
-
include $(TOPDIR)/rules.mk
PKG_NAME:=gptfdisk
-PKG_VERSION:=1.0.9
+PKG_VERSION:=1.0.10
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=@SF/$(PKG_NAME)
-PKG_HASH:=dafead2693faeb8e8b97832b23407f6ed5b3219bc1784f482dd855774e2d50c2
+PKG_HASH:=2abed61bc6d2b9ec498973c0440b8b804b7a72d7144069b5a9209b2ad693a282
PKG_MAINTAINER:=
PKG_LICENSE:=GPL-2.0-or-later
+++ /dev/null
-From 7dfa8984f5a30f313d8675ff6097c8592d636d10 Mon Sep 17 00:00:00 2001
-From: Khem Raj <raj.khem@gmail.com>
-Date: Mon, 12 Dec 2022 12:50:07 -0800
-Subject: [PATCH] Use 64bit time_t on linux as well
-
-Alias 64bit version of stat functions to original functions
-we are already passing -D_FILE_OFFSET_BITS=64 in linux Makefile
-
-Signed-off-by: Khem Raj <raj.khem@gmail.com>
----
- diskio-unix.cc | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/diskio-unix.cc
-+++ b/diskio-unix.cc
-@@ -37,8 +37,12 @@
-
- using namespace std;
-
--#ifdef __APPLE__
-+#if defined(__APPLE__) || defined(__linux__)
- #define off64_t off_t
-+#define stat64 stat
-+#define fstat64 fstat
-+#define lstat64 lstat
-+#define lseek64 lseek
- #endif
-
- // Returns the official "real" name for a shortened version of same.
include $(TOPDIR)/rules.mk
PKG_NAME:=mc
-PKG_VERSION:=4.8.30
-PKG_RELEASE:=2
+PKG_VERSION:=4.8.31
+PKG_RELEASE:=1
PKG_MAINTAINER:=
PKG_LICENSE:=GPL-3.0-or-later
PKG_CPE_ID:=cpe:/a:midnight_commander:midnight_commander
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://ftp.midnight-commander.org/
-PKG_HASH:=5ebc3cb2144b970c5149fda556c4ad50b78780494696cdf2d14a53204c95c7df
+PKG_HASH:=24191cf8667675b8e31fc4a9d18a0a65bdc0598c2c5c4ea092494cd13ab4ab1a
PKG_BUILD_PARALLEL:=1
PKG_FIXUP:=autoreconf gettext-version
PKG_BUILD_DEPENDS:=MC_VFS:libtirpc
include $(TOPDIR)/rules.mk
PKG_NAME:=moreutils
-PKG_VERSION:=0.68
+PKG_VERSION:=0.69
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://git.kitenet.net/index.cgi/moreutils.git/snapshot
-PKG_HASH:=5eb14bc7bc1407743478ebdbd83772bf3b927fd949136a2fbbde96fa6000b6e7
+PKG_HASH:=0f795d25356ca61544966646fb707d5be0b9864116be0269df5433f62d4e05d1
PKG_MAINTAINER:=Nikil Mehta <nikil.mehta@gmail.com>
PKG_LICENSE:=GPL-2.0-or-later
clean:
rm -f $(BINS) $(MANS) dump.c errnos.h errno.o \
-@@ -28,9 +28,6 @@ install:
+@@ -33,9 +33,6 @@ install:
$(INSTALL_BIN) $(BINS) $(DESTDIR)$(PREFIX)/bin
install $(PERLSCRIPTS) $(DESTDIR)$(PREFIX)/bin
CATEGORY:=Utilities
TITLE:=Mellanox Firmware Burning and Diagnostics Tools
URL:=https://github.com/Mellanox/mstflint
- DEPENDS:=@!(mips||mipsel) \
+ DEPENDS:=@!(mips||mips64||mipsel) \
+libcurl +liblzma +libopenssl +libsqlite3 \
+libstdcpp +libxml2 +python3-ctypes \
+python3-urllib +python3-xml +zlib
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Sun, 14 Apr 2024 16:06:15 +0200
+Subject: Support POSIX basename() from musl libc
+
+Musl libc 1.2.5 removed the definition of the basename() function from
+string.h and only provides it in libgen.h as the POSIX standard
+defines it.
+
+This change fixes compilation with musl libc 1.2.5.
+````
+build_dir/target-mips_24kc_musl/rtty-mbedtls/rtty-8.1.1/src/file.c:156:24: error: implicit declaration of function 'basename' [-Werror=implicit-function-declaration]
+ 156 | const char *name = basename(path);
+ | ^~~~~~~~
+````
+
+basename() modifies the input string, copy it first with strdup(), If
+strdup() returns NULL the code will handle it.
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+---
+ src/file.c | 8 +++++++-
+ src/filectl.c | 6 +++++-
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+--- a/src/file.c
++++ b/src/file.c
+@@ -29,6 +29,7 @@
+ #include <unistd.h>
+ #include <mntent.h>
+ #include <inttypes.h>
++#include <libgen.h>
+ #include <sys/statvfs.h>
+ #include <linux/limits.h>
+ #include <sys/sysinfo.h>
+@@ -153,13 +154,17 @@ static int start_upload_file(struct file
+ {
+ struct tty *tty = container_of(ctx, struct tty, file);
+ struct rtty *rtty = tty->rtty;
+- const char *name = basename(path);
++ const char *name;
+ struct stat st;
+ int fd;
++ char *dirc;
+
++ dirc = strdup(path);
++ name = basename(dirc);
+ fd = open(path, O_RDONLY);
+ if (fd < 0) {
+ log_err("open '%s' fail: %s\n", path, strerror(errno));
++ free(dirc);
+ return -1;
+ }
+
+@@ -177,6 +182,7 @@ static int start_upload_file(struct file
+ ctx->remain_size = st.st_size;
+
+ log_info("upload file: %s, size: %" PRIu64 "\n", path, (uint64_t)st.st_size);
++ free(dirc);
+
+ return 0;
+ }
+--- a/src/filectl.c
++++ b/src/filectl.c
+@@ -30,6 +30,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <fcntl.h>
++#include <libgen.h>
+
+ #include "utils.h"
+ #include "file.h"
+@@ -75,6 +76,7 @@ static void handle_file_control_msg(int
+ {
+ struct file_control_msg msg;
+ struct buffer b = {};
++ char *dirc;
+
+ while (true) {
+ if (buffer_put_fd(&b, fd, -1, NULL) < 0)
+@@ -90,7 +92,9 @@ static void handle_file_control_msg(int
+ if (sfd > -1) {
+ close(sfd);
+ gettimeofday(&start_time, NULL);
+- printf("Transferring '%s'...Press Ctrl+C to cancel\n", basename(path));
++ dirc = strdup(path);
++ printf("Transferring '%s'...Press Ctrl+C to cancel\n", basename(dirc));
++ free(dirc);
+
+ if (total_size == 0) {
+ printf(" 100%% 0 B 0s\n");
include $(TOPDIR)/rules.mk
PKG_NAME:=stress-ng
-PKG_VERSION:=0.17.05
+PKG_VERSION:=0.17.07
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/ColinIanKing/stress-ng/tar.gz/refs/tags/V$(PKG_VERSION)?
-PKG_HASH:=48964a0de5838acfed5c78d78d5f4a1d86974883d5537ccc55df019a0186a1b5
+PKG_HASH:=b0bc1495adce6c7a1f82d53f363682b243d6d7e93a06be7f94c9559c0a311a6f
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>
PKG_LICENSE:=GPL-2.0-only
--- a/Makefile.config
+++ b/Makefile.config
-@@ -327,10 +327,10 @@ clean:
+@@ -351,10 +351,10 @@ clean:
.PHONY: libraries
libraries: \
configdir \
--- /dev/null
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Hauke Mehrtens <hauke@hauke-m.de>
+Date: Sun, 14 Apr 2024 15:33:51 +0200
+Subject: Support POSIX basename() from musl libc
+
+Musl libc 1.2.5 removed the definition of the basename() function from
+string.h and only provides it in libgen.h as the POSIX standard
+defines it.
+
+This change fixes compilation with musl libc 1.2.5.
+````
+build_dir/target-mips_24kc_musl/tini-0.19.0/src/tini.c:227:36: error: implicit declaration of function 'basename' [-Wimplicit-function-declaration]
+ 227 | fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
+build_dir/target-mips_24kc_musl/tini-0.19.0/src/tini.c:227:25: error: format '%s' expects argument of type 'char *', but argument 3 has type 'int' [-Werror=format=]
+ 227 | fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
+ | ~^ ~~~~~~~~~~~~~~
+ | | |
+ | char * int
+ | %d
+
+````
+
+basename() modifies the input string, copy it first with strdup(), If
+strdup() returns NULL the code will handle it.
+
+Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+---
+ src/tini.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/src/tini.c
++++ b/src/tini.c
+@@ -14,6 +14,7 @@
+ #include <stdlib.h>
+ #include <unistd.h>
+ #include <stdbool.h>
++#include <libgen.h>
+
+ #include "tiniConfig.h"
+ #include "tiniLicense.h"
+@@ -224,14 +225,19 @@ int spawn(const signal_configuration_t*
+ }
+
+ void print_usage(char* const name, FILE* const file) {
+- fprintf(file, "%s (%s)\n", basename(name), TINI_VERSION_STRING);
++ char *dirc, *bname;
++
++ dirc = strdup(name);
++ bname = basename(dirc);
++
++ fprintf(file, "%s (%s)\n", bname, TINI_VERSION_STRING);
+
+ #if TINI_MINIMAL
+- fprintf(file, "Usage: %s PROGRAM [ARGS] | --version\n\n", basename(name));
++ fprintf(file, "Usage: %s PROGRAM [ARGS] | --version\n\n", bname);
+ #else
+- fprintf(file, "Usage: %s [OPTIONS] PROGRAM -- [ARGS] | --version\n\n", basename(name));
++ fprintf(file, "Usage: %s [OPTIONS] PROGRAM -- [ARGS] | --version\n\n", bname);
+ #endif
+- fprintf(file, "Execute a program under the supervision of a valid init process (%s)\n\n", basename(name));
++ fprintf(file, "Execute a program under the supervision of a valid init process (%s)\n\n", bname);
+
+ fprintf(file, "Command line options:\n\n");
+
+@@ -261,6 +267,7 @@ void print_usage(char* const name, FILE*
+ fprintf(file, " %s: Send signals to the child's process group.\n", KILL_PROCESS_GROUP_GROUP_ENV_VAR);
+
+ fprintf(file, "\n");
++ free(dirc);
+ }
+
+ void print_license(FILE* const file) {
PKG_NAME:=usbmuxd
PKG_VERSION:=1.1.1
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=https://www.libimobiledevice.org/downloads
SUBMENU:=libimobiledevice
TITLE:=USB multiplexing daemon
URL:=https://www.libimobiledevice.org/
- DEPENDS:=+librt +libusb-1.0 +libusbmuxd +libopenssl +libimobiledevice
+ DEPENDS:=+libusb-1.0 +libusbmuxd +libopenssl +libimobiledevice +usbutils
endef
define Package/usbmuxd/description
CONFIGURE_ARGS += --with-systemd
define Package/usbmuxd/install
+ $(INSTALL_DIR) $(1)/etc/hotplug.d/usb
$(INSTALL_DIR) $(1)/etc/init.d
+ $(INSTALL_BIN) ./files/usbmuxd.hotplug $(1)/etc/hotplug.d/usb/40-usbmuxd
$(INSTALL_BIN) ./files/usbmuxd.init $(1)/etc/init.d/usbmuxd
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/usbmuxd $(1)/usr/sbin/
--- /dev/null
+case "$ACTION" in
+ bind)
+ dev=/sys$DEVPATH
+
+ [ ! -f /tmp/iPhone.lock ] && [ -d ${dev}/net ] &&
+ {
+ readlink ${dev}/driver | grep -q ipheth &&
+ {
+ sleep 5
+ carrier_path=${dev}/net/*/carrier
+ carrier=`cat ${carrier_path}`
+
+ [ "${carrier}" = "0" ] &&
+ {
+ touch /tmp/iPhone.lock
+ logger -p daemon.error -t iPhone ${carrier_path} = ${carrier}
+ logger -p daemon.error -t iPhone `/usr/bin/usbreset iPhone`
+ /etc/init.d/usbmuxd restart
+ sleep 5 && rm -f /tmp/iPhone.lock &
+ }
+ }
+ }
+ ;;
+esac
PKG_NAME:=xxhash
PKG_VERSION:=0.8.2
-PKG_RELEASE:=1
+PKG_RELEASE:=2
-PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://github.com/Cyan4973/xxHash/archive/v$(PKG_VERSION)
-PKG_HASH:=baee0c6afd4f03165de7a4e67988d16f0f2b257b51d0e3cb91909302a26a79c4
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_SOURCE_URL:=https://github.com/Cyan4973/xxHash
+PKG_MIRROR_HASH:=0602a12e9ecd009f97a2a845fb5e46af69a60f96547952e5b00228f33bed5cdd
# The source for the library (xxhash.c and xxhash.h) is BSD
# The source for the command line tool (xxhsum.c) is GPLv2+
PKG_LICENSE_FILES:=LICENSE cli/COPYING
PKG_MAINTAINER:=Julien Malik <julien.malik@paraiso.me>
-PKG_INSTALL:=1
+CMAKE_SOURCE_SUBDIR:=cmake_unofficial
include $(INCLUDE_DIR)/package.mk
-
-PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
+include $(INCLUDE_DIR)/cmake.mk
define Package/xxhash/Default
TITLE:=Extremely fast hash algorithm
$(INSTALL_DIR) $(1)/usr/include
$(CP) $(PKG_INSTALL_DIR)/usr/include/*.h $(1)/usr/include/
$(INSTALL_DIR) $(1)/usr/lib
- $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxxhash.{a,so*} $(1)/usr/lib/
+ $(CP) $(PKG_INSTALL_DIR)/usr/lib/libxxhash.so* $(1)/usr/lib/
$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/libxxhash.pc $(1)/usr/lib/pkgconfig/
endef
include $(TOPDIR)/rules.mk
PKG_NAME:=yara
-PKG_VERSION:=4.2.0
+PKG_VERSION:=4.5.0
PKG_RELEASE:=1
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=https://codeload.github.com/VirusTotal/yara/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=6f567d4e4b79a210cd57a820f59f19ee69b024188ef4645b1fc11488a4660951
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=v$(PKG_VERSION)
+PKG_SOURCE_URL:=https://github.com/VirusTotal/yara
+PKG_MIRROR_HASH:=1b549a5aa3320ed768398b0152cb194a7e30c24275fc054facdb4d41bf729cb4
PKG_MAINTAINER:=Marko Ratkaj <markoratkaj@gmail.com>
PKG_LICENSE:=BSD-3-Clause
$(if $(CONFIG_YARA_module_magic),--enable,--disable)-magic \
$(if $(CONFIG_YARA_module_cuckoo),--enable,--disable)-cuckoo
+TARGET_CFLAGS += -D_LARGEFILE64_SOURCE
+
define Package/yara/config
source "$(SOURCE)/Config.in"
endef