Implement a new "cgi-exec" applet which allows to invoke remote commands
and stream their stdandard output back to the client via HTTP. This is
needed in cases where large amounts of data or binary encoded contents
such as tar archives need to be transferred, which are unsuitable to be
transported via ubus directly.
The exec call is guarded by the same ACL semantics as rpcd's file plugin,
means in order to be able to execute a command remotely, the ubus session
identified by the given session ID must have read access to the "exec"
function of the "cgi-io" scope and an explicit "exec" permission rule for
the invoked command in the "file" scope.
In order to initiate a transfer, a POST request in x-www-form-urlencoded
format must be sent to the applet, with one field "sessionid" holding
the login session and another field "command" specifiying the commandline
to invoke.
Further optional fields are "filename" which - if present - will cause
the download applet to set a Content-Dispostition header and "mimetype"
which allows to let the applet respond with a specific type instead of
the default "application/octet-stream".
Below is an example for the required ACL rules to grant exec access to
both the "date" and "iptables" commands. The "date" rule specifies the
base name of the executable and thus allows invocation with arbitrary
parameters while the latter "iptables" rule merely allows one specific
set of arguments which must appear exactly in the given order.
ubus call session grant '{
"ubus_rpc_session": "...",
"scope": "cgi-io",
"objects": [
[ "exec", "read" ]
]
}'
ubus call session grant '{
"ubus_rpc_session": "...",
"scope": "file",
"objects": [
[ "/bin/date", "exec" ],
[ "/usr/sbin/iptables -n -v -L", "exec" ]
]
}'
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- IPv6 support
- Fix HTTP/2 negociation
- Improve endpoint fallback
- Add support for unencrypted DNS
- Many other fixes and features
Signed-off-by: Olivier Poitrey <rs@nextdns.io>
When present on the build system dnsdist will try to make use of libcap. This
change adds an explicit dependency to ensure it's present at build time, to
prevent build failures when another package brings the dependency in.
Signed-off-by: James Taylor <james@jtaylor.id.au>
* remove 'ransomware' blocklist by abbuse.ch (discontinued)
from default adblock config
* fix/switch 'someonewhocares' config to https only
* fix curl download parameters to follow redirects and
suppress needless output
* made the tmp directory of sort operations configurable,
set 'adb_sorttmp' accordingly (only supported by 'coreutils-sort')
Signed-off-by: Dirk Brenken <dev@brenken.org>
This new release also installs additional 'shared utils' loadable
libraries in /usr/lib/ModemManager, so make sure we include them in
the packaging.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Update dnsdist to next major release 1.4.0. This release introduces
dependencies on libh2o-evloop and libwslay for support of DNS over
HTTPS.
Release Blog Post: https://blog.powerdns.com/2019/11/20/dnsdist-1-4-0/
Changelog: https://dnsdist.org/changelog.html#change-1.4.0
Also removes compatibility patches required for previous release that have
been incorporated upstream.
Signed-off-by: James Taylor <james@jtaylor.id.au>
Maintainer: Darryl Sokoloski / @dsokoloski
Compile tested: arm_cortex-a15_neon-vfpv4, TP-Link Archer C2600, master
Run tested: TP-Link Archer C2600
Change log for v2.98:
[FIX] OpenWrt: Silence ABI warnings.
[FIX] Fixed socket buffer dead-lock (pop < 0 bytes).
[FIX] Silenced site UUID errors (moved to debug level).
[FIX] Updated to SPDX identifier for GPL license.
[IMP] Migrated from libjson-c to nlohmann JSON for Modern C++.
[IMP] Updated agent status with CPU utilization and sink service status.
[IMP] Reformatted sink queue utilization status output.
[IMP] Support OS-specific restarting.
[IMP] Added payload upload and update frequency control.
[IMP] Added MAC addresses to JSON interface list.
[IMP] Added option to send established flows to connecting clients.
[IMP] Added offline capture processing script.
Signed-off-by: Darryl Sokoloski <darryl@sokoloski.ca>
Updates pdns-recursor to current stable 4.2.1. Also includes more complete fix
for boost.m4 BOOST::THREAD detection, removing dependency on boost-thread.
Signed-off-by: James Taylor <james@jtaylor.id.au>
Upgraded to pdns-4.2.1 and corrected issues with dependency management on
modules, in addition to moving zone2ldap under the ldap backend (It's only
compiled if ldap backend is enabled)
Signed-off-by: James Taylor <james@jtaylor.id.au>
Periodic update of the list of Google domains using
https://www.google.com/supported_domains
as a reference.
Signed-off-by: Gregory L. Dietsche <gregory.dietsche@cuw.edu>
Per discussion in https://github.com/openwrt/openwrt/pull/1804, iputils is
moving from the main openwrt repository to the packages feed, and is switching
from the abandoned skbuff.net upstream to github.com/iputils/iputils
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
This is a bugfix release.
Full changelog available at:
https://mosquitto.org/blog/2019/11/version-1-6-8-released/
Many smaller fixes in various areas, nothing particularly standout as of
special interest to OpenWrt.
Signed-off-by: Karl Palsson <karlp@etactica.com>
- Use HTTPS protocol for updating urls for afraid.org to protect the password.
- Bump/align package version number.
Signed-off-by: Kwonjin Jeong <gram25gwh@gmail.com>
Goes through firewalls easier.
Switched to xz tarball, which is both implicit and smaller.
Rearranged some stuff for consistency between packages.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
ntpd's configuration is stored in /var/etc, but the init script doesn't
create this directory. To be fair this folder is used by other packages
as well, for instance dnsmasq. Still, it's better not to rely on other
packages to create it.
Fixes: #10636
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
* update to 4.9.16
* cherry-pick some musl alpine/openembedded patches
* cleanup/remove AD-DC/Winbind options and related code
* build the compile_et via samba4/host
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
* fix reload/restart not applying luci/smb.conf changes
* remove hotfix for 'read only = no' (fixed by upstream)
* update documentation, example
*cifsd: fix the lost of dos file attributes
*cifsd: store FILE_ATTRIBUTE_SPARSE into xattr
*cifsd: release v2.0.2
*cifsd-tools: add smb.conf.list file to show supported parameters list
*cifsd-tools: set CIFSD_SHARE_FLAG_WRITEABLE flags if read only = no
*cifsd-tools: release cifsd-tools v2.0.2
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
Replaces OpenWrt patch with upstream patch. Also removes
0002-Fix-check-for-empty-string.patch as this is included in upstream
OpenSSL 1.1.0 patch.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit makes
- the libgd dependency (as well as specifying libs and includes)
- the configure argument "--with-cgi"
dependant on whether the package nut-web-cgi is selected.
nut-web-cgi is also added to PKG_CONFIG_DEPENDS.
Resolves: #10641
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
The modemmanager.common file includes several utility functions that
are used in several places like the protocol handler and in hotplug
scripts. These utilities should not be installed in /etc as they're
not configuration.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Unlike other modem protocol handlers like the ones implemented by uqmi
or umbim, in the modemmanager protocol handler the 'device' option
does not specify a device node in /dev. Therefore, we shouldn't flag
the option as 'device' type (dt_type_device).
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
When a USB modem device is unplugged, we had to do two different
things: first, cleanup the sysfs cache; and second, set interface as
unavailable.
Those two things were never being done properly due to several
different issues:
* The parent sysfs path retrieval logic relies on checking for which
sysfs path has the vid/pid files. This logic obviously only works
when the device is available, and cannot be used on e.g. removal
events.
* The command to cleanup the modem wait status from the sysfs cache
was not removing the previous state properly, because the sysfs path
variable wasn't escaped properly for the sed command.
This patch handles those issues in order to have a proper device
removal handling, by making sure the sysfs path is properly escaped in
the sed command, and by introducing a new hotplug script that runs
when the full USB device is removed.
Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
gdlib pc file doesn't set a version, so "pkg-config --modversion gdlib"
returns nothing. Also, the test
if test "$?" != "0" -a -n "${GD_VERSION}"; then
is wrong as pkg-config wouldn't return != 0 on success.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
* 5.01.9672 release
* Cedar: handle UDP acceleration and R-UDP versions
* Mayaqua: implement R-UDP version 2, powered by ChaCha20-Poly1305
* Cedar: implement UDP acceleration version 2, powered by ChaCha20-Poly1305
* Cedar: serve new web management interface
* Cedar: implement detailed protocol info
* Mayaqua: add Windows Server 2019 to the supported operating systems list
* Cedar: various fixes
* Cedar: add "DisableIPsecAggressiveMode" option
* Make install dir for unit files configurable
* Protocol.c: adapt ClientConnectGetSocket() for new proxy functions
* Wpc.c: adapt WpcSockConnectEx() for new proxy functions
* Protocol: add ProxyCodeToCedar()
* Move generic proxy stuff from Cedar to Mayaqua
* Proto_OpenVPN.c: improve OvsProcessData(), fix out-of-bounds access found by Coverity
* Proto_OpenVPN.c: fix segmentation fault in OvsProceccRecvPacket()
* Addressing the UDP reflection amplification attack: https://github.com/SoftEtherVPN/SoftEtherVPN/issues/1001
* Mayaqua.h: include <stdarg.h> for "va_list" on Illumos
* Protocol.c: fix bug in ClientConnectGetSocket() causing custom HTTP header not to work
* Mayaqua: move HTTP functions from "Network" to "HTTP"
* Move GetMimeTypeFromFileName() and related structure to Mayaqua
* Mayaqua.h: include <stdio.h> for "FILE"
* Mayaqua.h: include <stddef.h>, for "wchar_t"
* Bump mixin-deep in /src/bin/hamcore/wwwroot/admin/default
* - Fixed the problem occurs when RPC messages between Cluster Members exceed 64Kbytes. - Fixed the RADIUS PEAP client to use the standard TLS versioning. - Implementation of a function to fix the MAC address of L3 VPN protocol by entering e.g. "MAC: 112233445566" in the "Notes" field of the user information. - Implementation of a function to fix the virtual MAC address to be assigned to the L3 VPN client as a string attribute from RADIUS server when authentication.
* Updating built-in Win32 libraries - OpenSSL 1.1.1 -> 1.1.1d - zlib 1.2.3 -> 1.2.11
* Update strtable_cn.stb
* Avoid using hardcoded paths in log file enumeration
* Fix buffer overflow during NETBIOS name resolution
* Update SEVPN.sln
* Create strtable_pt_br.stb
* ci: display error if vpntest failed
* Fix several compile warnings on MS VC++ 2008.
* Enables crash minidump for Win32 vpntest. Minidump files will be saved to the 'C:\Users\<username>\AppData\Local\Temp\vpn_debug' (for normal user) or 'src\bin\vpn_debug\' (for administrator user).
* OpenVPN: use new protocol interface
* Add interface for easy protocol implementation
* add "no-deprecated" to openssl builds "no-deprecated" is widely used in openwrt devices
* Fix LibreSSL support
* Switch to OpenSSL THREADID API
* travis-ci: update openssl, libressl
* enable sonar-scan in travis-ci builds
* Virtual: fix race condition in DHCP server which resulted in multiple clients receiving the same IP
* Mayaqua: Fix compilation without deprecated OpenSSL APIs
* Mayaqua: Replace GNU specific sys/poll.h header with POSIX poll.h
* systemd: replace deprecated CAP_SYS_ADMIN with CAP_SYSLOG
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
This is useful to assign all traffic to a fw3 zone, e.g.:
/etc/config/ipsec:
config remote 'test'
list tunnel 'dev'
...
config 'tunnel' 'dev'
option reqid '33'
...
/etc/config/firewall:
config zone
option name wan
option extra_src "-m policy --pol none --dir in"
option extra_dest "-m policy --pol none --dir out"
...
config zone
option name vpn
# subnet needed for firewall3 before 22 Nov 2019, 8174814a
list subnet '0.0.0.0/0'
option extra_src "-m policy --pol ipsec --dir in --reqid 33"
option extra_dest "-m policy --pol ipsec --dir out --reqid 33"
...
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Rosen Penev
DENG Qingfang
Jo-Philipp Wich
Jan Pavlinec
Olivier Poitrey
James Taylor
Karl Palsson
Dirk Brenken
Richard Yu
Aleksander Morgado
Darryl Sokoloski
Josef Schlehofer
Gregory L. Dietsche
Noah Meyerhans
Andy Walsh
Sergey Urushkin
Kwonjin Jeong
Christian Lachner
Leong Hui Wong
Sebastian Kemper
Florian Eckert
Paul Fertser