Ship podman with defaults more coherent with user expectations and
more likely to work out-of-the-box.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Deleting rules that docker has created is error-prone, because with
every update docker we have to check if anything has changed.
Cleaning up the firewall rules is part of the docker and should and must be
cleaned up and handeled by them when the service is terminated.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If docker-ce handles the firewall and fw3 is not envolved because the
rules get not proceed, then not only docker0 should be handled but also
other interfaces and therefore other docker networks.
This commit extends the handling and introduces a new uci option
`device` in the docker config firewall section. This can be used to specify
which device is allowed to access the container. Up to now only docker0
is covert.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
As the protocol is set to none, this makes no sense here, as it cannot
be controlled and thus processed by the netifd.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Openwrt has a own firewall service called fw3, that supports firewall zones.
Docker can bypass the handling of the zone rules in openwrt via custom
tables. These are "always" processed before the openwrt firewall.
Which is prone to errors!
Since not everyone is aware that the firewall of openwrt will
not be passed. And this is a security problem because a mapped port is
visible on all interfaces and so also on the WAN side.
If the firewall handling in docker is switched off, then the port in
fw3 must be explicitly released and it cannot happen that the
port is accidentally exported to the outside world via the interfaces on
the WAN zone.
So all rules for the containers should and so must be made in fw3.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Up to now only the docker0 interface and bridge is created by default.
In order to create other interfaces and to integrate them into the
openwrt these functions can now be called with arguments.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
nopingtime UCI option rationale:
I want relatively fast reaction(i.e. 1m or 2m) for 'no internet' condition,
but i don't want my router to reboot every 1 minute if there is still no
internet after reboot.
initd_watchcat:
* add: nopingtime uci option support
* add: defaults to all non-critical options
* add: log warnings for non-critical errors(when option is missed and
default is applyed)
* fix: error handling and config_get defaults are somtimes in conflict
because of config_get defaults. They are gone now, error handling improved.
* fix: calling watchcat.sh with 'period' mode instead of 'ping'. Typo?
* fix: pingperiod default changed from period/20 to more reasonable period/5
watchcat.sh:
* add: nopingtime uci option support( sleep if uptime < nopingtime )
* remove: [ "$mode" = "allways" ] && mode="always" - not needed, already
done by initd_watchcat in load_watchcat() func
* add: echo 1 > /proc/sys/kernel/sysrq before sysrq-trigger
* refactor: eliminated once used not needed variables, code size reduced.
* PKG_RELEASE bumped up
Signed-off-by: Vasily Trotzky <trotzky.vas@gmail.com>
* blocked_interfaces blocks all packets to docker0 from the given
interface. This is needed because all the iptables commands dockerd
adds operate before any of the fw3 generated rules.
Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com>
Use ALTERNATIVES for /usr/bin/gpg and /usr/bin/gpgv, so upcoming gnupg2
variants can be selected instead.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Added Fedora patch to fix compilation.
Added python3 dependency as it seems it's needed now.
Replaced custom boost 1.73 patch with upstream one. Removed CFLAG that
was supposed to fix this but didn't do anything.
Removed nls.mk. telldus-core was fixed to not require iconv.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fix "hostapd_ubus_stations.lua". The bit-lib that is imported and the
one specified as the dependency do not match. Use luabitop.
Signed-off-by: Nick Hainke <vincent@systemli.org>
it makes no sense to show docker-compose sit in Languages -> Python
submenu in menuconfig, it is a tool and not a library.
Move it to Utilities section like docker-ce also is.
Signed-off-by: Alberto Bursi <bobafetthotmail@gmail.com>
This reverts commit 1f5f599d0e
that bumped the zoneinfo version from 2020a to 2020b.
Apparently some libc are incompatible with the data format in 2020b.
At least our default libc, musl, fails to parse timezones from the
compiled 2020b zoneinfo files.
Release notes mention that deprecated "posixrules" feature is now
omitted from the default build. Possibly musl uses it?
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Michael Heimpold
Daniel Golle
Florian Eckert
Vasily Trotzky
Michal Hrusecky
Gerard Ryan
Jan Pavlinec
Tianling Shen
Cobalt Chang
Rosen Penev
Maxim Storchak
Alexandru Ardelean
Javier Marcet
Nick Hainke
Phil Eichinger
Huangbin Zhan
Vladimir Ulrich
Toni Uhlig
Alberto Bursi
Karel Kočí
Hannu Nyman