Added openconnect + ocserv related packages #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks. |
sbyx
added a commit
that referenced
this pull request
Jun 3, 2014
Added openconnect + ocserv related packages
|
Based on your earlier work on openwrt-devel and the current packages I think it would be OK to grant you direct access to this repository so you can maintain these packages more directly. If you would like to do that, please let me know and I will add you to the maintainers group. |
|
That would be nice, thanks. On 3 June 2014 21:06:49 CEST, sbyx [email protected] wrote:
Sent fron my mobile. Please excuse my brevity. |
|
Done. |
Closed
pprindeville
pushed a commit
to pprindeville/packages
that referenced
this pull request
Jan 6, 2018
Changes: 89d1b80 xt_condition: namespace support openwrt#2 c839e87 xt_geoip: check for allocation overflow a587f95 compat_xtables: use more accurate printf format for NIPQUAD 1874fcd xt_DNETMAP: fix a buffer overflow 21ea7b7 xt_LOGMARK: resolve new gcc7 warnings ee8da2b build: support for Linux 4.12 19a4359 xt_condition: add support for namespaces 1b37966 xt_psd: resolve compiler warning Tested on cns3xxx Signed-off-by: Koen Vandeputte <[email protected]>
pprindeville
pushed a commit
to pprindeville/packages
that referenced
this pull request
Jan 6, 2018
Changes: 89d1b80 xt_condition: namespace support openwrt#2 c839e87 xt_geoip: check for allocation overflow a587f95 compat_xtables: use more accurate printf format for NIPQUAD 1874fcd xt_DNETMAP: fix a buffer overflow 21ea7b7 xt_LOGMARK: resolve new gcc7 warnings ee8da2b build: support for Linux 4.12 19a4359 xt_condition: add support for namespaces 1b37966 xt_psd: resolve compiler warning Tested on cns3xxx Signed-off-by: Koen Vandeputte <[email protected]>
pprindeville
pushed a commit
to pprindeville/packages
that referenced
this pull request
Jan 6, 2018
SVN-Revision: 35193 xtables-addons: rework uid/gid compat patch to use KUIDT_INIT() and KGIDT_INIT() macros SVN-Revision: 35203 xtables-addons: fix packaging of iptaccount SVN-Revision: 35831 kernel: add some fixes for kernel 3.9 This patch fixes some compile problems with kernel 3.9 and adds some missing linux 3.9 handling into kernel packages. SVN-Revision: 36098 xtables-addons: update to version 2.3, adds linux 3.10 compatibility Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 37226 xtables-addons: add missing kmod dependencies SVN-Revision: 37424 xtables-addons: use a select of kmod-ipt-core instead of depending on it SVN-Revision: 37425 kernel: fix xtables-addons dependencies with kernel 3.3 Signed-off-by: Hauke Mehrtens <[email protected]> SVN-Revision: 37461 kernel: make most modules use AutoProbe now that we have modprobe we can set more than half of the modules to AutoProbe Signed-off-by: John Crispin <[email protected]> SVN-Revision: 38021 xtables-addons: fix missing conversion from r38021 (resolves a broken dependency) Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 38124 xtables-addons: openwrt#15516 Fix compile under linux 3.14 Add compatibility inline function. Signed-off-by: Jan Kardell <[email protected]> SVN-Revision: 40613 build: disable the PKG_CHECK_FORMAT_SECURITY check for the failing packages The idea is to gradually fix the packages Signed-off-by: Etienne CHAMPETIER <[email protected]> SVN-Revision: 41411 xtables-addons: remove version 1.x for old kernels Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 42047 xtables-addons: update to version 2.5 Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 42256 Add a few SPDX tags Signed-off-by: Steven Barth <[email protected]> SVN-Revision: 43151 Add more license tags with SPDX identifiers Note, that licensing stuff is a nightmare: many packages does not clearly state their licenses, and often multiple source files are simply copied together - each with different licensing information in the file headers. I tried hard to ensure, that the license information extracted into the OpenWRT's makefiles fit the "spirit" of the packages, e.g. such small packages which come without a dedicated source archive "inherites" the OpenWRT's own license in my opinion. However, I can not garantee that I always picked the correct information and/or did not miss license information. Signed-off-by: Michael Heimpold <[email protected]> SVN-Revision: 43155 license info - revert r43155 turns out that r43155 adds duplicate info. Signed-off-by: John Crispin <[email protected]> SVN-Revision: 43167 nf_conntrack_rtsp: update to latest version Update nf_conntrack_rtsp to latest version based on http://mike.it-loops.com/rtsp/ (rtsp-module-3.7-v2.tar.gz). Signed-off-by: Álvaro Fernández Rojas <[email protected]> SVN-Revision: 43311 build: drop obsolete kernel version dependencies Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 44110 xtables-addons: disable for kernel 4.1 for now Netfilter APIs have changed, so the code requuires updates to compile successfully. Signed-off-by: Jonas Gorski <[email protected]> SVN-Revision: 46111 xtables-addons: update to 2.7 to fix compilation with 4.1 Also drop the configure (not .ac) patch part as autoreconf will overwrite it anyway with a newly generated version. Signed-off-by: Jonas Gorski <[email protected]> Acked-by: Jo-Philipp Wich <[email protected]> SVN-Revision: 46385 package: Remove dependencies to kmod-ipv6 Since r46834, IPv6 support is builtin if selected. Therefor, dependencies on kmod-ipv6 can no longer be fulfilled, since it is not a module anymore. Signed-off-by: Arjen de Korte <[email protected]> SVN-Revision: 47022 xtables-addons: update to 2.9 Fixes compilation with Linux 4.3. Runtime tested on Ubiquiti EdgeRouter Lite with Linux 3.18, 4.1 and 4.3. Signed-off-by: Stijn Tintel <[email protected]> SVN-Revision: 47470 xtables-addons: update to 2.10 Fixes compilation with linux 4.4. Signed-off-by: Jonas Gorski <[email protected]> SVN-Revision: 47699 xtables-addons: build: fix configure compatiblity with POSIX shells Fixes build with /bin/sh pointing to certain versions of dash (for example on Void Linux). Signed-off-by: Matthias Schiffer <[email protected]> SVN-Revision: 49218 xtables-addons: Fix Lua packet script implementation lua_packet_segment parameter start has type char pointer; in function lua_tg it's assigned an uint16 value generating compiler warnings obviously indicating posssible seg fault problems. Fix the issue by using the correct skb functions so the parameter points to the position inside the sk_buff Signed-off-by: Hans Dedecker <[email protected]> Signed-off-by: Stijn Cleynhens <[email protected]> xtables-addons: Avoid redefinition of SHRT_MAX in lua packet script Patch Lua packet script defines SHRT_MAX which is already defined in <linux/kernel.h> and is included indirectly by lauxlib.h. Fix the redefintion as it leads to compile failure on systems which treat macro redefinition as an error Signed-off-by: Hans Dedecker <[email protected]> treewide: replace [email protected] with [email protected] Signed-off-by: Jo-Philipp Wich <[email protected]> xtables-addons: update to 2.11 - fix compilation w. Kernel 4.6 due to hash->shash crypto API - remove a patch integrated upstream - remove unrecognized configure option removed upstream in 2010 commit 40d0345f1ed02de183b13a6ce38847bc1f4ac48e Signed-off-by: Dirk Neukirchen <[email protected]> xtables-addons: add missing dependency Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: add CONFIG_NF_CONNTRACK_MARK=y to all kmod-* packages Not all kmod packages depends on kmod-ipt-compat-xtables, but this kernel config option is required for building the whole package Signed-off-by: Felix Fietkau <[email protected]> treewide: clean up download hashes Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: update to version 2.12 Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: fix build error on ARC The kernel unconditionally pulls in a header file that defines 'current', which conflicts with the lua extension code. Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: fix nathelper-rtsp dependencies Both nf_conntrack and nf_nat need to be called out. Signed-off-by: Philip Prindeville <[email protected]> Revert "xtables-addons: fix nathelper-rtsp dependencies" This reverts commit e2ef801. Signed-off-by: John Crispin <[email protected]> xtables-addons: update to version 2.13 Changes: 89d1b80 xt_condition: namespace support openwrt#2 c839e87 xt_geoip: check for allocation overflow a587f95 compat_xtables: use more accurate printf format for NIPQUAD 1874fcd xt_DNETMAP: fix a buffer overflow 21ea7b7 xt_LOGMARK: resolve new gcc7 warnings ee8da2b build: support for Linux 4.12 19a4359 xt_condition: add support for namespaces 1b37966 xt_psd: resolve compiler warning Tested on cns3xxx Signed-off-by: Koen Vandeputte <[email protected]> build: use KERNEL_MAKE_FLAGS for kernel file compilations The build system already defines KERNEL_CROSS which defaults to TARGET_CROSS. Make use of this variable for kernel makefiles. Signed-off-by: Karl Vogel <[email protected]> xtables-addons: update to version 2.14 This includes a compile fix needed for kernel 4.14. Signed-off-by: Hauke Mehrtens <[email protected]> xtables-addons: fix compile with kernel 4.14 This fixes a compile problems seen with kernel 4.14. Signed-off-by: Hauke Mehrtens <[email protected]> kernel: always build NF_CONNTRACK_MARK into kernel This is one of three commits to migrate xtables-addons from openwrt to packages. This is needed so that xtables-addons helpers can rely on scripts that aren't part of the base packaging (e.g. Perl). Signed-off-by: Philip Prindeville <[email protected]> Suggested-by: Jo-Philip Wich <[email protected]> xtables-addons: ready directory for import This is three of three commits to migrate xtables-addons from openwrt to packages. This is needed so that xtables-addons helpers can rely on scripts that aren't part of the base packaging (e.g. Perl). Signed-off-by: Philip Prindeville <[email protected]> Suggested-by: Jo-Philip Wich <[email protected]>
pprindeville
pushed a commit
to pprindeville/packages
that referenced
this pull request
Jan 6, 2018
SVN-Revision: 35193 xtables-addons: rework uid/gid compat patch to use KUIDT_INIT() and KGIDT_INIT() macros SVN-Revision: 35203 xtables-addons: fix packaging of iptaccount SVN-Revision: 35831 kernel: add some fixes for kernel 3.9 This patch fixes some compile problems with kernel 3.9 and adds some missing linux 3.9 handling into kernel packages. SVN-Revision: 36098 xtables-addons: update to version 2.3, adds linux 3.10 compatibility Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 37226 xtables-addons: add missing kmod dependencies SVN-Revision: 37424 xtables-addons: use a select of kmod-ipt-core instead of depending on it SVN-Revision: 37425 kernel: fix xtables-addons dependencies with kernel 3.3 Signed-off-by: Hauke Mehrtens <[email protected]> SVN-Revision: 37461 kernel: make most modules use AutoProbe now that we have modprobe we can set more than half of the modules to AutoProbe Signed-off-by: John Crispin <[email protected]> SVN-Revision: 38021 xtables-addons: fix missing conversion from r38021 (resolves a broken dependency) Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 38124 xtables-addons: openwrt#15516 Fix compile under linux 3.14 Add compatibility inline function. Signed-off-by: Jan Kardell <[email protected]> SVN-Revision: 40613 build: disable the PKG_CHECK_FORMAT_SECURITY check for the failing packages The idea is to gradually fix the packages Signed-off-by: Etienne CHAMPETIER <[email protected]> SVN-Revision: 41411 xtables-addons: remove version 1.x for old kernels Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 42047 xtables-addons: update to version 2.5 Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 42256 Add a few SPDX tags Signed-off-by: Steven Barth <[email protected]> SVN-Revision: 43151 Add more license tags with SPDX identifiers Note, that licensing stuff is a nightmare: many packages does not clearly state their licenses, and often multiple source files are simply copied together - each with different licensing information in the file headers. I tried hard to ensure, that the license information extracted into the OpenWRT's makefiles fit the "spirit" of the packages, e.g. such small packages which come without a dedicated source archive "inherites" the OpenWRT's own license in my opinion. However, I can not garantee that I always picked the correct information and/or did not miss license information. Signed-off-by: Michael Heimpold <[email protected]> SVN-Revision: 43155 license info - revert r43155 turns out that r43155 adds duplicate info. Signed-off-by: John Crispin <[email protected]> SVN-Revision: 43167 nf_conntrack_rtsp: update to latest version Update nf_conntrack_rtsp to latest version based on http://mike.it-loops.com/rtsp/ (rtsp-module-3.7-v2.tar.gz). Signed-off-by: Álvaro Fernández Rojas <[email protected]> SVN-Revision: 43311 build: drop obsolete kernel version dependencies Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 44110 xtables-addons: disable for kernel 4.1 for now Netfilter APIs have changed, so the code requuires updates to compile successfully. Signed-off-by: Jonas Gorski <[email protected]> SVN-Revision: 46111 xtables-addons: update to 2.7 to fix compilation with 4.1 Also drop the configure (not .ac) patch part as autoreconf will overwrite it anyway with a newly generated version. Signed-off-by: Jonas Gorski <[email protected]> Acked-by: Jo-Philipp Wich <[email protected]> SVN-Revision: 46385 package: Remove dependencies to kmod-ipv6 Since r46834, IPv6 support is builtin if selected. Therefor, dependencies on kmod-ipv6 can no longer be fulfilled, since it is not a module anymore. Signed-off-by: Arjen de Korte <[email protected]> SVN-Revision: 47022 xtables-addons: update to 2.9 Fixes compilation with Linux 4.3. Runtime tested on Ubiquiti EdgeRouter Lite with Linux 3.18, 4.1 and 4.3. Signed-off-by: Stijn Tintel <[email protected]> SVN-Revision: 47470 xtables-addons: update to 2.10 Fixes compilation with linux 4.4. Signed-off-by: Jonas Gorski <[email protected]> SVN-Revision: 47699 xtables-addons: build: fix configure compatiblity with POSIX shells Fixes build with /bin/sh pointing to certain versions of dash (for example on Void Linux). Signed-off-by: Matthias Schiffer <[email protected]> SVN-Revision: 49218 xtables-addons: Fix Lua packet script implementation lua_packet_segment parameter start has type char pointer; in function lua_tg it's assigned an uint16 value generating compiler warnings obviously indicating posssible seg fault problems. Fix the issue by using the correct skb functions so the parameter points to the position inside the sk_buff Signed-off-by: Hans Dedecker <[email protected]> Signed-off-by: Stijn Cleynhens <[email protected]> xtables-addons: Avoid redefinition of SHRT_MAX in lua packet script Patch Lua packet script defines SHRT_MAX which is already defined in <linux/kernel.h> and is included indirectly by lauxlib.h. Fix the redefintion as it leads to compile failure on systems which treat macro redefinition as an error Signed-off-by: Hans Dedecker <[email protected]> treewide: replace [email protected] with [email protected] Signed-off-by: Jo-Philipp Wich <[email protected]> xtables-addons: update to 2.11 - fix compilation w. Kernel 4.6 due to hash->shash crypto API - remove a patch integrated upstream - remove unrecognized configure option removed upstream in 2010 commit 40d0345f1ed02de183b13a6ce38847bc1f4ac48e Signed-off-by: Dirk Neukirchen <[email protected]> xtables-addons: add missing dependency Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: add CONFIG_NF_CONNTRACK_MARK=y to all kmod-* packages Not all kmod packages depends on kmod-ipt-compat-xtables, but this kernel config option is required for building the whole package Signed-off-by: Felix Fietkau <[email protected]> treewide: clean up download hashes Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: update to version 2.12 Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: fix build error on ARC The kernel unconditionally pulls in a header file that defines 'current', which conflicts with the lua extension code. Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: fix nathelper-rtsp dependencies Both nf_conntrack and nf_nat need to be called out. Signed-off-by: Philip Prindeville <[email protected]> Revert "xtables-addons: fix nathelper-rtsp dependencies" This reverts commit e2ef801. Signed-off-by: John Crispin <[email protected]> xtables-addons: update to version 2.13 Changes: 89d1b80 xt_condition: namespace support openwrt#2 c839e87 xt_geoip: check for allocation overflow a587f95 compat_xtables: use more accurate printf format for NIPQUAD 1874fcd xt_DNETMAP: fix a buffer overflow 21ea7b7 xt_LOGMARK: resolve new gcc7 warnings ee8da2b build: support for Linux 4.12 19a4359 xt_condition: add support for namespaces 1b37966 xt_psd: resolve compiler warning Tested on cns3xxx Signed-off-by: Koen Vandeputte <[email protected]> build: use KERNEL_MAKE_FLAGS for kernel file compilations The build system already defines KERNEL_CROSS which defaults to TARGET_CROSS. Make use of this variable for kernel makefiles. Signed-off-by: Karl Vogel <[email protected]> xtables-addons: update to version 2.14 This includes a compile fix needed for kernel 4.14. Signed-off-by: Hauke Mehrtens <[email protected]> xtables-addons: fix compile with kernel 4.14 This fixes a compile problems seen with kernel 4.14. Signed-off-by: Hauke Mehrtens <[email protected]> kernel: always build NF_CONNTRACK_MARK into kernel This is one of three commits to migrate xtables-addons from openwrt to packages. This is needed so that xtables-addons helpers can rely on scripts that aren't part of the base packaging (e.g. Perl). Signed-off-by: Philip Prindeville <[email protected]> Suggested-by: Jo-Philip Wich <[email protected]> xtables-addons: ready directory for import This is three of three commits to migrate xtables-addons from openwrt to packages. This is needed so that xtables-addons helpers can rely on scripts that aren't part of the base packaging (e.g. Perl). Signed-off-by: Philip Prindeville <[email protected]> Suggested-by: Jo-Philip Wich <[email protected]>
pprindeville
added a commit
to pprindeville/packages
that referenced
this pull request
Jan 8, 2018
SVN-Revision: 35193 xtables-addons: rework uid/gid compat patch to use KUIDT_INIT() and KGIDT_INIT() macros SVN-Revision: 35203 xtables-addons: fix packaging of iptaccount SVN-Revision: 35831 kernel: add some fixes for kernel 3.9 This patch fixes some compile problems with kernel 3.9 and adds some missing linux 3.9 handling into kernel packages. SVN-Revision: 36098 xtables-addons: update to version 2.3, adds linux 3.10 compatibility Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 37226 xtables-addons: add missing kmod dependencies SVN-Revision: 37424 xtables-addons: use a select of kmod-ipt-core instead of depending on it SVN-Revision: 37425 kernel: fix xtables-addons dependencies with kernel 3.3 Signed-off-by: Hauke Mehrtens <[email protected]> SVN-Revision: 37461 kernel: make most modules use AutoProbe now that we have modprobe we can set more than half of the modules to AutoProbe Signed-off-by: John Crispin <[email protected]> SVN-Revision: 38021 xtables-addons: fix missing conversion from r38021 (resolves a broken dependency) Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 38124 xtables-addons: openwrt#15516 Fix compile under linux 3.14 Add compatibility inline function. Signed-off-by: Jan Kardell <[email protected]> SVN-Revision: 40613 build: disable the PKG_CHECK_FORMAT_SECURITY check for the failing packages The idea is to gradually fix the packages Signed-off-by: Etienne CHAMPETIER <[email protected]> SVN-Revision: 41411 xtables-addons: remove version 1.x for old kernels Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 42047 xtables-addons: update to version 2.5 Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 42256 Add a few SPDX tags Signed-off-by: Steven Barth <[email protected]> SVN-Revision: 43151 Add more license tags with SPDX identifiers Note, that licensing stuff is a nightmare: many packages does not clearly state their licenses, and often multiple source files are simply copied together - each with different licensing information in the file headers. I tried hard to ensure, that the license information extracted into the OpenWRT's makefiles fit the "spirit" of the packages, e.g. such small packages which come without a dedicated source archive "inherites" the OpenWRT's own license in my opinion. However, I can not garantee that I always picked the correct information and/or did not miss license information. Signed-off-by: Michael Heimpold <[email protected]> SVN-Revision: 43155 license info - revert r43155 turns out that r43155 adds duplicate info. Signed-off-by: John Crispin <[email protected]> SVN-Revision: 43167 nf_conntrack_rtsp: update to latest version Update nf_conntrack_rtsp to latest version based on http://mike.it-loops.com/rtsp/ (rtsp-module-3.7-v2.tar.gz). Signed-off-by: Álvaro Fernández Rojas <[email protected]> SVN-Revision: 43311 build: drop obsolete kernel version dependencies Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 44110 xtables-addons: disable for kernel 4.1 for now Netfilter APIs have changed, so the code requuires updates to compile successfully. Signed-off-by: Jonas Gorski <[email protected]> SVN-Revision: 46111 xtables-addons: update to 2.7 to fix compilation with 4.1 Also drop the configure (not .ac) patch part as autoreconf will overwrite it anyway with a newly generated version. Signed-off-by: Jonas Gorski <[email protected]> Acked-by: Jo-Philipp Wich <[email protected]> SVN-Revision: 46385 package: Remove dependencies to kmod-ipv6 Since r46834, IPv6 support is builtin if selected. Therefor, dependencies on kmod-ipv6 can no longer be fulfilled, since it is not a module anymore. Signed-off-by: Arjen de Korte <[email protected]> SVN-Revision: 47022 xtables-addons: update to 2.9 Fixes compilation with Linux 4.3. Runtime tested on Ubiquiti EdgeRouter Lite with Linux 3.18, 4.1 and 4.3. Signed-off-by: Stijn Tintel <[email protected]> SVN-Revision: 47470 xtables-addons: update to 2.10 Fixes compilation with linux 4.4. Signed-off-by: Jonas Gorski <[email protected]> SVN-Revision: 47699 xtables-addons: build: fix configure compatiblity with POSIX shells Fixes build with /bin/sh pointing to certain versions of dash (for example on Void Linux). Signed-off-by: Matthias Schiffer <[email protected]> SVN-Revision: 49218 xtables-addons: Fix Lua packet script implementation lua_packet_segment parameter start has type char pointer; in function lua_tg it's assigned an uint16 value generating compiler warnings obviously indicating posssible seg fault problems. Fix the issue by using the correct skb functions so the parameter points to the position inside the sk_buff Signed-off-by: Hans Dedecker <[email protected]> Signed-off-by: Stijn Cleynhens <[email protected]> xtables-addons: Avoid redefinition of SHRT_MAX in lua packet script Patch Lua packet script defines SHRT_MAX which is already defined in <linux/kernel.h> and is included indirectly by lauxlib.h. Fix the redefintion as it leads to compile failure on systems which treat macro redefinition as an error Signed-off-by: Hans Dedecker <[email protected]> treewide: replace [email protected] with [email protected] Signed-off-by: Jo-Philipp Wich <[email protected]> xtables-addons: update to 2.11 - fix compilation w. Kernel 4.6 due to hash->shash crypto API - remove a patch integrated upstream - remove unrecognized configure option removed upstream in 2010 commit 40d0345f1ed02de183b13a6ce38847bc1f4ac48e Signed-off-by: Dirk Neukirchen <[email protected]> xtables-addons: add missing dependency Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: add CONFIG_NF_CONNTRACK_MARK=y to all kmod-* packages Not all kmod packages depends on kmod-ipt-compat-xtables, but this kernel config option is required for building the whole package Signed-off-by: Felix Fietkau <[email protected]> treewide: clean up download hashes Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: update to version 2.12 Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: fix build error on ARC The kernel unconditionally pulls in a header file that defines 'current', which conflicts with the lua extension code. Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: fix nathelper-rtsp dependencies Both nf_conntrack and nf_nat need to be called out. Signed-off-by: Philip Prindeville <[email protected]> Revert "xtables-addons: fix nathelper-rtsp dependencies" This reverts commit e2ef801. Signed-off-by: John Crispin <[email protected]> xtables-addons: update to version 2.13 Changes: 89d1b80 xt_condition: namespace support openwrt#2 c839e87 xt_geoip: check for allocation overflow a587f95 compat_xtables: use more accurate printf format for NIPQUAD 1874fcd xt_DNETMAP: fix a buffer overflow 21ea7b7 xt_LOGMARK: resolve new gcc7 warnings ee8da2b build: support for Linux 4.12 19a4359 xt_condition: add support for namespaces 1b37966 xt_psd: resolve compiler warning Tested on cns3xxx Signed-off-by: Koen Vandeputte <[email protected]> build: use KERNEL_MAKE_FLAGS for kernel file compilations The build system already defines KERNEL_CROSS which defaults to TARGET_CROSS. Make use of this variable for kernel makefiles. Signed-off-by: Karl Vogel <[email protected]> xtables-addons: update to version 2.14 This includes a compile fix needed for kernel 4.14. Signed-off-by: Hauke Mehrtens <[email protected]> xtables-addons: fix compile with kernel 4.14 This fixes a compile problems seen with kernel 4.14. Signed-off-by: Hauke Mehrtens <[email protected]> kernel: always build NF_CONNTRACK_MARK into kernel This is one of three commits to migrate xtables-addons from openwrt to packages. This is needed so that xtables-addons helpers can rely on scripts that aren't part of the base packaging (e.g. Perl). Signed-off-by: Philip Prindeville <[email protected]> Suggested-by: Jo-Philip Wich <[email protected]> xtables-addons: ready directory for import This is three of three commits to migrate xtables-addons from openwrt to packages. This is needed so that xtables-addons helpers can rely on scripts that aren't part of the base packaging (e.g. Perl). Signed-off-by: Philip Prindeville <[email protected]> Suggested-by: Jo-Philip Wich <[email protected]>
pprindeville
pushed a commit
to pprindeville/packages
that referenced
this pull request
Jan 16, 2018
SVN-Revision: 35193 xtables-addons: rework uid/gid compat patch to use KUIDT_INIT() and KGIDT_INIT() macros SVN-Revision: 35203 xtables-addons: fix packaging of iptaccount SVN-Revision: 35831 kernel: add some fixes for kernel 3.9 This patch fixes some compile problems with kernel 3.9 and adds some missing linux 3.9 handling into kernel packages. SVN-Revision: 36098 xtables-addons: update to version 2.3, adds linux 3.10 compatibility Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 37226 xtables-addons: add missing kmod dependencies SVN-Revision: 37424 xtables-addons: use a select of kmod-ipt-core instead of depending on it SVN-Revision: 37425 kernel: fix xtables-addons dependencies with kernel 3.3 Signed-off-by: Hauke Mehrtens <[email protected]> SVN-Revision: 37461 kernel: make most modules use AutoProbe now that we have modprobe we can set more than half of the modules to AutoProbe Signed-off-by: John Crispin <[email protected]> SVN-Revision: 38021 xtables-addons: fix missing conversion from r38021 (resolves a broken dependency) Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 38124 xtables-addons: openwrt#15516 Fix compile under linux 3.14 Add compatibility inline function. Signed-off-by: Jan Kardell <[email protected]> SVN-Revision: 40613 build: disable the PKG_CHECK_FORMAT_SECURITY check for the failing packages The idea is to gradually fix the packages Signed-off-by: Etienne CHAMPETIER <[email protected]> SVN-Revision: 41411 xtables-addons: remove version 1.x for old kernels Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 42047 xtables-addons: update to version 2.5 Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 42256 Add a few SPDX tags Signed-off-by: Steven Barth <[email protected]> SVN-Revision: 43151 Add more license tags with SPDX identifiers Note, that licensing stuff is a nightmare: many packages does not clearly state their licenses, and often multiple source files are simply copied together - each with different licensing information in the file headers. I tried hard to ensure, that the license information extracted into the OpenWRT's makefiles fit the "spirit" of the packages, e.g. such small packages which come without a dedicated source archive "inherites" the OpenWRT's own license in my opinion. However, I can not garantee that I always picked the correct information and/or did not miss license information. Signed-off-by: Michael Heimpold <[email protected]> SVN-Revision: 43155 license info - revert r43155 turns out that r43155 adds duplicate info. Signed-off-by: John Crispin <[email protected]> SVN-Revision: 43167 nf_conntrack_rtsp: update to latest version Update nf_conntrack_rtsp to latest version based on http://mike.it-loops.com/rtsp/ (rtsp-module-3.7-v2.tar.gz). Signed-off-by: Álvaro Fernández Rojas <[email protected]> SVN-Revision: 43311 build: drop obsolete kernel version dependencies Signed-off-by: Felix Fietkau <[email protected]> SVN-Revision: 44110 xtables-addons: disable for kernel 4.1 for now Netfilter APIs have changed, so the code requuires updates to compile successfully. Signed-off-by: Jonas Gorski <[email protected]> SVN-Revision: 46111 xtables-addons: update to 2.7 to fix compilation with 4.1 Also drop the configure (not .ac) patch part as autoreconf will overwrite it anyway with a newly generated version. Signed-off-by: Jonas Gorski <[email protected]> Acked-by: Jo-Philipp Wich <[email protected]> SVN-Revision: 46385 package: Remove dependencies to kmod-ipv6 Since r46834, IPv6 support is builtin if selected. Therefor, dependencies on kmod-ipv6 can no longer be fulfilled, since it is not a module anymore. Signed-off-by: Arjen de Korte <[email protected]> SVN-Revision: 47022 xtables-addons: update to 2.9 Fixes compilation with Linux 4.3. Runtime tested on Ubiquiti EdgeRouter Lite with Linux 3.18, 4.1 and 4.3. Signed-off-by: Stijn Tintel <[email protected]> SVN-Revision: 47470 xtables-addons: update to 2.10 Fixes compilation with linux 4.4. Signed-off-by: Jonas Gorski <[email protected]> SVN-Revision: 47699 xtables-addons: build: fix configure compatiblity with POSIX shells Fixes build with /bin/sh pointing to certain versions of dash (for example on Void Linux). Signed-off-by: Matthias Schiffer <[email protected]> SVN-Revision: 49218 xtables-addons: Fix Lua packet script implementation lua_packet_segment parameter start has type char pointer; in function lua_tg it's assigned an uint16 value generating compiler warnings obviously indicating posssible seg fault problems. Fix the issue by using the correct skb functions so the parameter points to the position inside the sk_buff Signed-off-by: Hans Dedecker <[email protected]> Signed-off-by: Stijn Cleynhens <[email protected]> xtables-addons: Avoid redefinition of SHRT_MAX in lua packet script Patch Lua packet script defines SHRT_MAX which is already defined in <linux/kernel.h> and is included indirectly by lauxlib.h. Fix the redefintion as it leads to compile failure on systems which treat macro redefinition as an error Signed-off-by: Hans Dedecker <[email protected]> treewide: replace [email protected] with [email protected] Signed-off-by: Jo-Philipp Wich <[email protected]> xtables-addons: update to 2.11 - fix compilation w. Kernel 4.6 due to hash->shash crypto API - remove a patch integrated upstream - remove unrecognized configure option removed upstream in 2010 commit 40d0345f1ed02de183b13a6ce38847bc1f4ac48e Signed-off-by: Dirk Neukirchen <[email protected]> xtables-addons: add missing dependency Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: add CONFIG_NF_CONNTRACK_MARK=y to all kmod-* packages Not all kmod packages depends on kmod-ipt-compat-xtables, but this kernel config option is required for building the whole package Signed-off-by: Felix Fietkau <[email protected]> treewide: clean up download hashes Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: update to version 2.12 Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: fix build error on ARC The kernel unconditionally pulls in a header file that defines 'current', which conflicts with the lua extension code. Signed-off-by: Felix Fietkau <[email protected]> xtables-addons: fix nathelper-rtsp dependencies Both nf_conntrack and nf_nat need to be called out. Signed-off-by: Philip Prindeville <[email protected]> Revert "xtables-addons: fix nathelper-rtsp dependencies" This reverts commit e2ef801. Signed-off-by: John Crispin <[email protected]> xtables-addons: update to version 2.13 Changes: 89d1b80 xt_condition: namespace support openwrt#2 c839e87 xt_geoip: check for allocation overflow a587f95 compat_xtables: use more accurate printf format for NIPQUAD 1874fcd xt_DNETMAP: fix a buffer overflow 21ea7b7 xt_LOGMARK: resolve new gcc7 warnings ee8da2b build: support for Linux 4.12 19a4359 xt_condition: add support for namespaces 1b37966 xt_psd: resolve compiler warning Tested on cns3xxx Signed-off-by: Koen Vandeputte <[email protected]> build: use KERNEL_MAKE_FLAGS for kernel file compilations The build system already defines KERNEL_CROSS which defaults to TARGET_CROSS. Make use of this variable for kernel makefiles. Signed-off-by: Karl Vogel <[email protected]> xtables-addons: update to version 2.14 This includes a compile fix needed for kernel 4.14. Signed-off-by: Hauke Mehrtens <[email protected]> xtables-addons: fix compile with kernel 4.14 This fixes a compile problems seen with kernel 4.14. Signed-off-by: Hauke Mehrtens <[email protected]> kernel: always build NF_CONNTRACK_MARK into kernel This is one of three commits to migrate xtables-addons from openwrt to packages. This is needed so that xtables-addons helpers can rely on scripts that aren't part of the base packaging (e.g. Perl). Signed-off-by: Philip Prindeville <[email protected]> Suggested-by: Jo-Philip Wich <[email protected]> xtables-addons: ready directory for import This is three of three commits to migrate xtables-addons from openwrt to packages. This is needed so that xtables-addons helpers can rely on scripts that aren't part of the base packaging (e.g. Perl). Signed-off-by: Philip Prindeville <[email protected]> Suggested-by: Jo-Philip Wich <[email protected]>
Closed
heil
pushed a commit
that referenced
this pull request
Nov 2, 2018
…ates2 haproxy: Update all patches for HAProxy v1.8.14 #2
ldir-EDB0
referenced
this pull request
Feb 6, 2019
Includes minor bugfixes, translation updates and most of the OpenSSL compilation patch. Signed-off-by: Jonas Gorski <[email protected]>
mkg20001
pushed a commit
to mkg20001/packages
that referenced
this pull request
Jan 20, 2022
gluon-autoupdater: use awk to split manifest
utoni
pushed a commit
to utoni/openwrt-packages
that referenced
this pull request
Jan 21, 2022
apxs is used to get information about the apache installation when building external modules. Currently there are issues: 1. ./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET apache2 apxs:Error: ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/bin/apr-1-config not found!. This error is fixed by sed script openwrt#2. 2. ./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET cannot open ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/share/apache2/build/config_vars.mk: No such file or directory at ./staging_dir/target-mips_24kc_musl/usr/bin/apxs line 213. This error is fixed by sed scipt openwrt#1. Both sed scripts taken from buildroot (see [1]). [1] https://github.com/buildroot/buildroot/blob/master/package/apache/apache.mk Signed-off-by: Sebastian Kemper <[email protected]>
graysky2
pushed a commit
to graysky2/packages
that referenced
this pull request
Feb 3, 2022
apxs is used to get information about the apache installation when building external modules. Currently there are issues: 1. ./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET apache2 apxs:Error: ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/bin/apr-1-config not found!. This error is fixed by sed script openwrt#2. 2. ./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET cannot open ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/share/apache2/build/config_vars.mk: No such file or directory at ./staging_dir/target-mips_24kc_musl/usr/bin/apxs line 213. This error is fixed by sed scipt openwrt#1. Both sed scripts taken from buildroot (see [1]). [1] https://github.com/buildroot/buildroot/blob/master/package/apache/apache.mk Signed-off-by: Sebastian Kemper <[email protected]>
graysky2
pushed a commit
to graysky2/packages
that referenced
this pull request
Feb 6, 2022
apxs is used to get information about the apache installation when building external modules. Currently there are issues: 1. ./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET apache2 apxs:Error: ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/bin/apr-1-config not found!. This error is fixed by sed script openwrt#2. 2. ./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET cannot open ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/share/apache2/build/config_vars.mk: No such file or directory at ./staging_dir/target-mips_24kc_musl/usr/bin/apxs line 213. This error is fixed by sed scipt openwrt#1. Both sed scripts taken from buildroot (see [1]). [1] https://github.com/buildroot/buildroot/blob/master/package/apache/apache.mk Signed-off-by: Sebastian Kemper <[email protected]>
utoni
pushed a commit
to utoni/openwrt-packages
that referenced
this pull request
May 30, 2022
apxs is used to get information about the apache installation when building external modules. Currently there are issues: 1. ./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET apache2 apxs:Error: ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/bin/apr-1-config not found!. This error is fixed by sed script openwrt#2. 2. ./staging_dir/target-mips_24kc_musl/usr/bin/apxs -q TARGET cannot open ./staging_dir/target-mips_24kc_musl/home/sk/tmp/openwrt/staging_dir/target-mips_24kc_musl/usr/share/apache2/build/config_vars.mk: No such file or directory at ./staging_dir/target-mips_24kc_musl/usr/bin/apxs line 213. This error is fixed by sed scipt openwrt#1. Both sed scripts taken from buildroot (see [1]). [1] https://github.com/buildroot/buildroot/blob/master/package/apache/apache.mk Signed-off-by: Sebastian Kemper <[email protected]>
TjeuKayim
added a commit
to TjeuKayim/openwrt-packages
that referenced
this pull request
Nov 24, 2022
This fixes a segfault because gnupg/g10/options.h struct opt
is otherwise not shared the different code units, resulting
in opt.homedir being NULL when passed to make_filename.
$ gpg1 -i
gpg: signal 11 caught ... exiting
Segmentation fault
(gdb) bt
#0 0x00007f17bb2185e2 in strlen (s=s@entry=0x0) at src/string/strlen.c:17
openwrt#1 0x0000000000460ea0 in make_filename (first_part=first_part@entry=0x0) at gnupg-1.4.23/util/fileutil.c:174
openwrt#2 0x000000000040ee42 in keydb_add_resource (url=url@entry=0x46bfe3 "secring.gpg", flags=flags@entry=4, secret=secret@entry=1)
at gnupg-1.4.23/g10/keydb.c:238
openwrt#3 0x00000000004062ee in main (argc=<optimized out>, argv=<optimized out>) at gnupg-1.4.23/g10/gpg.c:3323
Signed-off-by: Tjeu Kayim <[email protected]>
TjeuKayim
added a commit
to TjeuKayim/openwrt-packages
that referenced
this pull request
Nov 24, 2022
This fixes a segfault because gnupg/g10/options.h struct opt
is otherwise not shared between the different compilation units,
resulting in opt.homedir being NULL when passed to make_filename.
$ gpg1 -i
gpg: signal 11 caught ... exiting
Segmentation fault
(gdb) bt
#0 0x00007f17bb2185e2 in strlen (s=s@entry=0x0) at src/string/strlen.c:17
openwrt#1 0x0000000000460ea0 in make_filename (first_part=first_part@entry=0x0) at gnupg-1.4.23/util/fileutil.c:174
openwrt#2 0x000000000040ee42 in keydb_add_resource (url=url@entry=0x46bfe3 "secring.gpg", flags=flags@entry=4, secret=secret@entry=1)
at gnupg-1.4.23/g10/keydb.c:238
openwrt#3 0x00000000004062ee in main (argc=<optimized out>, argv=<optimized out>) at gnupg-1.4.23/g10/gpg.c:3323
Signed-off-by: Tjeu Kayim <[email protected]>
neheb
pushed a commit
that referenced
this pull request
Nov 24, 2022
This fixes a segfault because gnupg/g10/options.h struct opt
is otherwise not shared between the different compilation units,
resulting in opt.homedir being NULL when passed to make_filename.
$ gpg1 -i
gpg: signal 11 caught ... exiting
Segmentation fault
(gdb) bt
#0 0x00007f17bb2185e2 in strlen (s=s@entry=0x0) at src/string/strlen.c:17
#1 0x0000000000460ea0 in make_filename (first_part=first_part@entry=0x0) at gnupg-1.4.23/util/fileutil.c:174
#2 0x000000000040ee42 in keydb_add_resource (url=url@entry=0x46bfe3 "secring.gpg", flags=flags@entry=4, secret=secret@entry=1)
at gnupg-1.4.23/g10/keydb.c:238
#3 0x00000000004062ee in main (argc=<optimized out>, argv=<optimized out>) at gnupg-1.4.23/g10/gpg.c:3323
Signed-off-by: Tjeu Kayim <[email protected]>
BKPepe
pushed a commit
that referenced
this pull request
Dec 3, 2022
This fixes a segfault because gnupg/g10/options.h struct opt
is otherwise not shared between the different compilation units,
resulting in opt.homedir being NULL when passed to make_filename.
$ gpg1 -i
gpg: signal 11 caught ... exiting
Segmentation fault
(gdb) bt
#0 0x00007f17bb2185e2 in strlen (s=s@entry=0x0) at src/string/strlen.c:17
#1 0x0000000000460ea0 in make_filename (first_part=first_part@entry=0x0) at gnupg-1.4.23/util/fileutil.c:174
#2 0x000000000040ee42 in keydb_add_resource (url=url@entry=0x46bfe3 "secring.gpg", flags=flags@entry=4, secret=secret@entry=1)
at gnupg-1.4.23/g10/keydb.c:238
#3 0x00000000004062ee in main (argc=<optimized out>, argv=<optimized out>) at gnupg-1.4.23/g10/gpg.c:3323
Signed-off-by: Tjeu Kayim <[email protected]>
(cherry picked from commit f4058c1)
stokito
pushed a commit
to stokito/packages
that referenced
this pull request
Dec 6, 2022
This fixes a segfault because gnupg/g10/options.h struct opt
is otherwise not shared between the different compilation units,
resulting in opt.homedir being NULL when passed to make_filename.
$ gpg1 -i
gpg: signal 11 caught ... exiting
Segmentation fault
(gdb) bt
#0 0x00007f17bb2185e2 in strlen (s=s@entry=0x0) at src/string/strlen.c:17
openwrt#1 0x0000000000460ea0 in make_filename (first_part=first_part@entry=0x0) at gnupg-1.4.23/util/fileutil.c:174
openwrt#2 0x000000000040ee42 in keydb_add_resource (url=url@entry=0x46bfe3 "secring.gpg", flags=flags@entry=4, secret=secret@entry=1)
at gnupg-1.4.23/g10/keydb.c:238
openwrt#3 0x00000000004062ee in main (argc=<optimized out>, argv=<optimized out>) at gnupg-1.4.23/g10/gpg.c:3323
Signed-off-by: Tjeu Kayim <[email protected]>
oskarirauta
added a commit
to oskarirauta/packages
that referenced
this pull request
Jan 12, 2023
Signed-off-by: Oskari Rauta <[email protected]>
jan-kardell
pushed a commit
to jan-kardell/openwrt-packages
that referenced
this pull request
Apr 27, 2023
Follow up to commit c744798. Managed to hit the very same issue again while playing with the NOR SPL builds. Signed-off-by: Mathias Kresin <[email protected]>
tim-nordell-nimbelink
added a commit
to tim-nordell-nimbelink/openwrt_packages
that referenced
this pull request
Jun 26, 2023
There are multiple hit spots for packets in the following order: 1. Packets are checked to see if they originated from WAN 2. Packets are checked to see if they destined for a local route 3. Packets are checked against default WAN policies The intent of matching the "local route" is to identify packets destined for the local LAN after WAN originated packets have been identified. These are applied the system's routing table. However, when a WAN interface is brought up, this interface goes into the "local route" ipset list, as well as the originating from WAN rule check. The order of adding these two is not guaranteed, and it's possible that the known route check is added prior to the WAN rule. While it's still coming up, packets that originate from the WAN are marked with the system wide routing table. This can make the outbound packets potentially route to the wrong spot since the system routing table is used. By modifying the rule set to the following: 1. Packets are checked to see if the originate from WAN 2. Packets are checked to see if they're sourced *and* destined for a local route 3. Packets are checked against default policies Match openwrt#2 then matches packets that are going in and out of locally routeable interfaces, which is likely the intention of this. However, this leads to another problem: the default policies are sticky. If the WAN interface isn't quite brought up yet, then the packets get assigned to the last_resort method for the interface. This might be problematic for a newly observed connection that occurs before the appropriate routing table is assigned. To mitigate the last_resort issue, the last_resort targets are made temporary. That is, the firewall will clear the mark, and re-evaluate for each packet coming in when the last_resort is utilized. This permits an interface that is in the process of being brought up to not bind packets to the wrong routing table permanently. One easy way to test this out before and after this change is to: - Bring down wan (e.g. ifdown wan) - Manually bring up WAN - This mitigates the firewall rules being added for openwrt#1 above, but openwrt#2 is still added since this is monitoring the routing interface - Ping the device from a non-local subnet via the WAN interface; leave running - Observe mark set to ICMP session via conntrack - Bring up wan (e.g. ifup wan) - Observe mark set to ICMP session from above
tim-nordell-nimbelink
added a commit
to tim-nordell-nimbelink/openwrt_packages
that referenced
this pull request
Jun 26, 2023
There are multiple hit spots for packets in the following order: 1. Packets are checked to see if they originated from WAN 2. Packets are checked to see if they destined for a local route 3. Packets are checked against default WAN policies The intent of matching the "local route" is to identify packets destined for the local LAN after WAN originated packets have been identified. These are applied the system's routing table. However, when a WAN interface is brought up, this interface goes into the "local route" ipset list, as well as the originating from WAN rule check. The order of adding these two is not guaranteed, and it's possible that the known route check is added prior to the WAN rule. While it's still coming up, packets that originate from the WAN are marked with the system wide routing table. This can make the outbound packets potentially route to the wrong spot since the system routing table is used. By modifying the rule set to the following: 1. Packets are checked to see if the originate from WAN 2. Packets are checked to see if they're sourced *and* destined for a local route 3. Packets are checked against default policies Match openwrt#2 then matches packets that are going in and out of locally routeable interfaces, which is likely the intention of this. However, this leads to another problem: the default policies are sticky. If the WAN interface isn't quite brought up yet, then the packets get assigned to the last_resort method for the interface. This might be problematic for a newly observed connection that occurs before the appropriate routing table is assigned. To mitigate the last_resort issue, the last_resort targets are made temporary. That is, the firewall will clear the mark, and re-evaluate for each packet coming in when the last_resort is utilized. This permits an interface that is in the process of being brought up to not bind packets to the wrong routing table permanently. One easy way to test this out before and after this change is to: - Bring down wan (e.g. ifdown wan) - Manually bring up WAN - This mitigates the firewall rules being added for openwrt#1 above, but openwrt#2 is still added since this is monitoring the routing interface - Ping the device from a non-local subnet via the WAN interface; leave running - Observe mark set to ICMP session via conntrack - Bring up wan (e.g. ifup wan) - Observe mark set to ICMP session from above Signed-off-by: Tim Nordell <[email protected]>
tim-nordell-nimbelink
added a commit
to tim-nordell-nimbelink/openwrt_packages
that referenced
this pull request
Jun 29, 2023
This introduces a new concept of "unknown_wan" to mwan3. The action for this can be configured in the globals section the default of which is 'none'. This can be set to 'none', 'default', 'unreachable' or 'blacklist' switching out the matching ip rule for this match. This assignment for a connection is temporary and is re-resolved for each additional original direction packet through the firewall allowing the unknown WAN to start resolving once the ifup has finished for the given interface. An example configuration: config globals 'globals' option unknown_wan_action 'unreachable' There are multiple hit spots for packets in the following order: 1. Packets are checked to see if they originate from known WAN interfaces 2. Packets are checked to see if they destined for ipsets defined 3. Packets are checked against default WAN policies The WAN list is maintained via hotplug 'ifup'/'ifdown' events and the local route ipset list is maintained via monitoring the routing table. This means that while a WAN interface is brought up, the list for openwrt#2 is updated before the list for openwrt#1, since an interface is fully brought up before the ifup event is fired off. Additionally, we want to make sure we don't apply a WAN policy for incoming packets from a WAN interface that is in the process of being brought up. We can identify packets that are presumably coming from a WAN interface we don't recognize yet by eliminating all packets that the source comes from networks we don't know about in the ipsets that mwan3 manages. We have to be careful here to only match the original direction of the packet flow (e.g. for instance with ICMP, the ping request is in the ORIGINAL direction, and the response is in the REPLY direction) or else we might match something we didn't intend to. By modifying the rule set to the following: 1. Packets are checked to see if they are in a REPLY direction of flow 2. Packets are checked to see if they originate from known WAN interfaces 3. Packets are checked to see if they not sourced from ipsets defined 4. Packets are checked to see if they destined for ipsets defined 5. Packets are checked against default WAN policies If a packet is in the REPLY direction of flow, we definitely don't want to do any routing table assignments - we only want to do this for the original direction of traffic flow. This reduces the amount of rules parsed within mwan3. If a packet is not sourced from a defined ipset, this should match any packet originating from a "default route" upstream. We do this post the known WAN interface check since we don't know what mask to apply to this packet at this time until the 'ifup' has completed. It's also setup to reevaluate this decision by clearing this specific mark when a new packet comes in in the REPLY direction of flow before any subsequent evaluations. This allows additional packets for the same connection to eventually be assigned the appropriate mask once the 'ifup' has finished. One easy way to test this out before and after this change is to: - Bring down wan (e.g. ifdown wan) - Manually bring up WAN - This mitigates the firewall rules being added for openwrt#1 above, but openwrt#2 is still added since this is monitoring the routing interface - Ping the device from a non-local subnet via the WAN interface; leave running - Observe mark set to ICMP session via conntrack - Bring up wan (e.g. ifup wan) - Observe mark set to ICMP session from above Signed-off-by: Tim Nordell <[email protected]>
tim-nordell-nimbelink
added a commit
to tim-nordell-nimbelink/openwrt_packages
that referenced
this pull request
Jun 29, 2023
This introduces a new concept of "unknown_wan" to mwan3. The action for this can be configured in the globals section the default of which is 'none'. This can be set to 'none', 'default', 'unreachable' or 'blacklist' switching out the matching ip rule for this match. This assignment for a connection is temporary and is re-resolved for each additional original direction packet through the firewall allowing the unknown WAN to start resolving once the ifup has finished for the given interface. An example configuration: config globals 'globals' option unknown_wan_action 'unreachable' There are multiple hit spots for packets in the following order: 1. Packets are checked to see if they originate from known WAN interfaces 2. Packets are checked to see if they destined for ipsets defined 3. Packets are checked against default WAN policies The WAN list is maintained via hotplug 'ifup'/'ifdown' events and the local route ipset list is maintained via monitoring the routing table. This means that while a WAN interface is brought up, the list for openwrt#2 is updated before the list for openwrt#1, since an interface is fully brought up before the ifup event is fired off. Additionally, we want to make sure we don't apply a WAN policy for incoming packets from a WAN interface that is in the process of being brought up. We can identify packets that are presumably coming from a WAN interface we don't recognize yet by eliminating all packets that the source comes from networks we don't know about in the ipsets that mwan3 manages. We have to be careful here to only match the original direction of the packet flow (e.g. for instance with ICMP, the ping request is in the ORIGINAL direction, and the response is in the REPLY direction) or else we might match something we didn't intend to. By modifying the rule set to the following: 1. Packets are checked to see if they are in a REPLY direction of flow 2. Packets are checked to see if they originate from known WAN interfaces 3. Packets are checked to see if they not sourced from ipsets defined 4. Packets are checked to see if they destined for ipsets defined 5. Packets are checked against default WAN policies If a packet is in the REPLY direction of flow, we definitely don't want to do any routing table assignments - we only want to do this for the original direction of traffic flow. This reduces the amount of rules parsed within mwan3. If a packet is not sourced from a defined ipset, this should match any packet originating from a "default route" upstream. We do this post the known WAN interface check since we don't know what mask to apply to this packet at this time until the 'ifup' has completed. It's also setup to reevaluate this decision by clearing this specific mark when a new packet comes in in the REPLY direction of flow before any subsequent evaluations. This allows additional packets for the same connection to eventually be assigned the appropriate mask once the 'ifup' has finished. One easy way to test this out before and after this change is to: - Bring down wan (e.g. ifdown wan) - Manually bring up WAN - This mitigates the firewall rules being added for openwrt#1 above, but openwrt#2 is still added since this is monitoring the routing interface - Ping the device from a non-local subnet via the WAN interface; leave running - Observe mark set to ICMP session via conntrack - Bring up wan (e.g. ifup wan) - Observe mark set to ICMP session from above Signed-off-by: Tim Nordell <[email protected]>
tim-nordell-nimbelink
added a commit
to tim-nordell-nimbelink/openwrt_packages
that referenced
this pull request
Jun 29, 2023
This introduces a new concept of "unknown_wan" to mwan3. The action for this can be configured in the globals section the default of which is 'none'. This can be set to 'none', 'default', 'unreachable' or 'blacklist' switching out the matching ip rule for this match. This assignment for a connection is temporary and is re-resolved for each additional original direction packet through the firewall allowing the unknown WAN to start resolving once the ifup has finished for the given interface. An example configuration: config globals 'globals' option unknown_wan_action 'unreachable' There are multiple hit spots for packets in the following order: 1. Packets are checked to see if they originate from known WAN interfaces 2. Packets are checked to see if they destined for ipsets defined 3. Packets are checked against default WAN policies The WAN list is maintained via hotplug 'ifup'/'ifdown' events and the local route ipset list is maintained via monitoring the routing table. This means that while a WAN interface is brought up, the list for openwrt#2 is updated before the list for openwrt#1, since an interface is fully brought up before the ifup event is fired off. Additionally, we want to make sure we don't apply a WAN policy for incoming packets from a WAN interface that is in the process of being brought up. We can identify packets that are presumably coming from a WAN interface we don't recognize yet by eliminating all packets that the source comes from networks we don't know about in the ipsets that mwan3 manages. We have to be careful here to only match the original direction of the packet flow (e.g. for instance with ICMP, the ping request is in the ORIGINAL direction, and the response is in the REPLY direction) or else we might match something we didn't intend to. By modifying the rule set to the following: 1. Packets are checked to see if they are in a REPLY direction of flow 2. Packets are checked to see if they originate from known WAN interfaces 3. Packets are checked to see if they not sourced from ipsets defined 4. Packets are checked to see if they destined for ipsets defined 5. Packets are checked against default WAN policies If a packet is in the REPLY direction of flow, we definitely don't want to do any routing table assignments - we only want to do this for the original direction of traffic flow. This reduces the amount of rules parsed within mwan3. If a packet is not sourced from a defined ipset, this should match any packet originating from a "default route" upstream. We do this post the known WAN interface check since we don't know what mask to apply to this packet at this time until the 'ifup' has completed. It's also setup to reevaluate this decision by clearing this specific mark when a new packet comes in in the REPLY direction of flow before any subsequent evaluations. This allows additional packets for the same connection to eventually be assigned the appropriate mask once the 'ifup' has finished. One easy way to test this out before and after this change is to: - Bring down wan (e.g. ifdown wan) - Manually bring up WAN - This mitigates the firewall rules being added for openwrt#1 above, but openwrt#2 is still added since this is monitoring the routing interface - Ping the device from a non-local subnet via the WAN interface; leave running - Observe mark set to ICMP session via conntrack - Bring up wan (e.g. ifup wan) - Observe mark set to ICMP session from above Signed-off-by: Tim Nordell <[email protected]>
tim-nordell-nimbelink
added a commit
to tim-nordell-nimbelink/openwrt_packages
that referenced
this pull request
Jun 29, 2023
This introduces a new concept of "unknown_wan" to mwan3. The action for this can be configured in the globals section the default of which is 'none'. This can be set to 'none', 'default', 'unreachable' or 'blacklist' switching out the matching ip rule for this match. This assignment for a connection is temporary and is re-resolved for each additional original direction packet through the firewall allowing the unknown WAN to start resolving once the ifup has finished for the given interface. An example configuration: config globals 'globals' option unknown_wan_action 'unreachable' There are multiple hit spots for packets in the following order: 1. Packets are checked to see if they originate from known WAN interfaces 2. Packets are checked to see if they destined for ipsets defined 3. Packets are checked against default WAN policies The WAN list is maintained via hotplug 'ifup'/'ifdown' events and the local route ipset list is maintained via monitoring the routing table. This means that while a WAN interface is brought up, the list for openwrt#2 is updated before the list for openwrt#1, since an interface is fully brought up before the ifup event is fired off. Additionally, we want to make sure we don't apply a WAN policy for incoming packets from a WAN interface that is in the process of being brought up. We can identify packets that are presumably coming from a WAN interface we don't recognize yet by eliminating all packets that the source comes from networks we don't know about in the ipsets that mwan3 manages. We have to be careful here to only match the original direction of the packet flow (e.g. for instance with ICMP, the ping request is in the ORIGINAL direction, and the response is in the REPLY direction) or else we might match something we didn't intend to. By modifying the rule set to the following: 1. Packets are checked to see if they are in a REPLY direction of flow 2. Packets are checked to see if they originate from known WAN interfaces 3. Packets are checked to see if they not sourced from ipsets defined 4. Packets are checked to see if they destined for ipsets defined 5. Packets are checked against default WAN policies If a packet is in the REPLY direction of flow, we definitely don't want to do any routing table assignments - we only want to do this for the original direction of traffic flow. This reduces the amount of rules parsed within mwan3. If a packet is not sourced from a defined ipset, this should match any packet originating from a "default route" upstream. We do this post the known WAN interface check since we don't know what mask to apply to this packet at this time until the 'ifup' has completed. It's also setup to reevaluate this decision by clearing this specific mark when a new packet comes in in the REPLY direction of flow before any subsequent evaluations. This allows additional packets for the same connection to eventually be assigned the appropriate mask once the 'ifup' has finished. One easy way to test this out before and after this change is to: - Bring down wan (e.g. ifdown wan) - Manually bring up WAN - This mitigates the firewall rules being added for openwrt#1 above, but openwrt#2 is still added since this is monitoring the routing interface - Ping the device from a non-local subnet via the WAN interface; leave running - Observe mark set to ICMP session via conntrack - Bring up wan (e.g. ifup wan) - Observe mark set to ICMP session from above Signed-off-by: Tim Nordell <[email protected]>
graysky2
added a commit
to graysky2/packages
that referenced
this pull request
Apr 12, 2024
Vectorscan is fork of Hyperscan, a high-performance multiple regex matching library. It follows the regular expression syntax of the commonly-used libpcre library, but is a standalone library with its own C API. Currently ARM NEON/ASIMD and Power VSX are 100% functional. ARM SVE2 support is in ongoing with access to hardware now. More platforms will follow in the future. The performance difference of snort3 compiled against this is sizable. Test SoC openwrt#1 flogic/glinet_gl-mt6000 IDS mode: Download speed wo/ vectorscan: 91.2 ±0.21 Mbit/s (n=3) Download speed using vectorscan: 331.0 ±27.34 Mbit/s (n=3) Gain of 3.6x IPS mode: Download speed wo/ vectorscan: 30.0 ±0.06 Mbit/s (n=3) Download speed using vectorscan: 52.9 ±0.78 Mbit/s (n=3) Gain of 1.8x Notes: * Data generated on snapshot build on 12-Apr-2024 using kernel version 6.6.26, snort version 3.1.84.0, vectorscan version 5.4.11. * Speedtest script hitting the same server. * Snort rules file of was 37,917 lines/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Test Soc openwrt#2 bcm2712/RPi5B IDS mode: Using iperf3 to send wo/ vectorscan: 515 Mbits/sec Using iperf3 to send using vectorscan: 934 Mbits/sec Gain of >1.8x IPS mode: Using iperf3 to send wo/ vectorscan: 259 Mbits/sec Using iperf3 to send using vectorscan: 934 Mbits/sec Gain of >3.7x (934 Mbits/sec is the theoretical max) Build system: x86/64 Build-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B Run-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B Co-authored-by: Tianling Shen <[email protected]> Co-authored-by: Jeffery To <[email protected]> Signed-off-by: John Audia <[email protected]>
graysky2
added a commit
to graysky2/packages
that referenced
this pull request
Apr 13, 2024
Vectorscan is fork of Hyperscan, a high-performance multiple regex matching library. It follows the regular expression syntax of the commonly-used libpcre library, but is a standalone library with its own C API. Currently ARM NEON/ASIMD and Power VSX are 100% functional. ARM SVE2 support is in ongoing with access to hardware now. More platforms will follow in the future. The performance difference of snort3 compiled against this is sizable. Test SoC openwrt#1 flogic/glinet_gl-mt6000 IDS mode: Download speed wo/ vectorscan: 91.2 ±0.21 Mbit/s (n=3) Download speed using vectorscan: 331.0 ±27.34 Mbit/s (n=3) Gain of 3.6x IPS mode: Download speed wo/ vectorscan: 30.0 ±0.06 Mbit/s (n=3) Download speed using vectorscan: 52.9 ±0.78 Mbit/s (n=3) Gain of 1.8x Notes: * Data generated on snapshot build on 12-Apr-2024 using kernel 6.6.26, snort 3.1.84.0, vectorscan 5.4.11. * Speedtest script hitting the same server. * Snort rules file of was 37,917 lines/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Test Soc openwrt#2 bcm2712/RPi5B IPS mode: Download speed wo/ vectorscan: 164.3 ±0.64 Mbit/s (n=3) Download speed using vectorscan: 232.8 ±0.26 Mbit/s (n=3) Gain of 1.4x Notes: * Data generated on snapshot build on 13-Apr-2024 using kernel 6.1.86, snort 3.1.84.0, vectorscan 5.4.11. * Google fiber speedtest (https://fiber.google.com/speedtest/) hitting the same server. * Snort rules contained 39,801 rules/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Build system: x86/64 Build-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B Run-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B Co-authored-by: Tianling Shen <[email protected]> Co-authored-by: Jeffery To <[email protected]> Signed-off-by: John Audia <[email protected]>
graysky2
added a commit
to graysky2/packages
that referenced
this pull request
Apr 30, 2024
Vectorscan is fork of Hyperscan, a high-performance multiple regex matching library. It follows the regular expression syntax of the commonly-used libpcre library, but is a standalone library with its own C API. Currently ARM NEON/ASIMD and Power VSX are 100% functional. ARM SVE2 support is in ongoing with access to hardware now. More platforms will follow in the future. The performance difference of snort3 compiled against this is sizable. Test SoC openwrt#1 flogic/glinet_gl-mt6000 IDS mode: Download speed wo/ vectorscan: 91.2 ±0.21 Mbit/s (n=3) Download speed using vectorscan: 331.0 ±27.34 Mbit/s (n=3) Gain of 3.6x IPS mode: Download speed wo/ vectorscan: 30.0 ±0.06 Mbit/s (n=3) Download speed using vectorscan: 52.9 ±0.78 Mbit/s (n=3) Gain of 1.8x Notes: * Data generated on snapshot build on 12-Apr-2024 using kernel 6.6.26, snort 3.1.84.0, vectorscan 5.4.11. * Speedtest script hitting the same server. * Snort rules file of was 37,917 lines/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Test Soc openwrt#2 bcm2712/RPi5B IPS mode: Download speed wo/ vectorscan: 164.3 ±0.64 Mbit/s (n=3) Download speed using vectorscan: 232.8 ±0.26 Mbit/s (n=3) Gain of 1.4x Notes: * Data generated on snapshot build on 13-Apr-2024 using kernel 6.1.86, snort 3.1.84.0, vectorscan 5.4.11. * Google fiber speedtest (https://fiber.google.com/speedtest/) hitting the same server. * Snort rules contained 39,801 rules/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Build system: x86/64 Build-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B Run-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B Co-authored-by: Tianling Shen <[email protected]> Co-authored-by: Jeffery To <[email protected]> Signed-off-by: John Audia <[email protected]>
graysky2
added a commit
to graysky2/packages
that referenced
this pull request
Apr 30, 2024
Vectorscan is fork of Hyperscan, a high-performance multiple regex matching library. It follows the regular expression syntax of the commonly-used libpcre library, but is a standalone library with its own C API. Currently ARM NEON/ASIMD and Power VSX are 100% functional. ARM SVE2 support is in ongoing with access to hardware now. More platforms will follow in the future. The performance difference of snort3 compiled against this is sizable. Test SoC openwrt#1 flogic/glinet_gl-mt6000 IDS mode: Download speed wo/ vectorscan: 91.2 ±0.21 Mbit/s (n=3) Download speed using vectorscan: 331.0 ±27.34 Mbit/s (n=3) Gain of 3.6x IPS mode: Download speed wo/ vectorscan: 30.0 ±0.06 Mbit/s (n=3) Download speed using vectorscan: 52.9 ±0.78 Mbit/s (n=3) Gain of 1.8x Notes: * Data generated on snapshot build on 12-Apr-2024 using kernel 6.6.26, snort 3.1.84.0, vectorscan 5.4.11. * Speedtest script hitting the same server. * Snort rules file of was 37,917 lines/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Test Soc openwrt#2 bcm2712/RPi5B IPS mode: Download speed wo/ vectorscan: 164.3 ±0.64 Mbit/s (n=3) Download speed using vectorscan: 232.8 ±0.26 Mbit/s (n=3) Gain of 1.4x Notes: * Data generated on snapshot build on 13-Apr-2024 using kernel 6.1.86, snort 3.1.84.0, vectorscan 5.4.11. * Google fiber speedtest (https://fiber.google.com/speedtest/) hitting the same server. * Snort rules contained 39,801 rules/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Build system: x86/64 Build-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B Run-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B Co-authored-by: Tianling Shen <[email protected]> Co-authored-by: Jeffery To <[email protected]> Signed-off-by: John Audia <[email protected]>
graysky2
added a commit
to graysky2/packages
that referenced
this pull request
Apr 30, 2024
Vectorscan is fork of Hyperscan, a high-performance multiple regex matching library. It follows the regular expression syntax of the commonly-used libpcre library, but is a standalone library with its own C API. Currently ARM NEON/ASIMD and Power VSX are 100% functional. ARM SVE2 support is in ongoing with access to hardware now. More platforms will follow in the future. The performance difference of snort3 compiled against this is sizable. Test SoC openwrt#1 flogic/glinet_gl-mt6000 IDS mode: Download speed wo/ vectorscan: 91.2 ±0.21 Mbit/s (n=3) Download speed using vectorscan: 331.0 ±27.34 Mbit/s (n=3) Gain of 3.6x IPS mode: Download speed wo/ vectorscan: 30.0 ±0.06 Mbit/s (n=3) Download speed using vectorscan: 52.9 ±0.78 Mbit/s (n=3) Gain of 1.8x Notes: * Data generated on snapshot build on 12-Apr-2024 using kernel 6.6.26, snort 3.1.84.0, vectorscan 5.4.11. * Speedtest script hitting the same server. * Snort rules file of was 37,917 lines/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Test Soc openwrt#2 bcm2712/RPi5B IPS mode: Download speed wo/ vectorscan: 164.3 ±0.64 Mbit/s (n=3) Download speed using vectorscan: 232.8 ±0.26 Mbit/s (n=3) Gain of 1.4x Notes: * Data generated on snapshot build on 13-Apr-2024 using kernel 6.1.86, snort 3.1.84.0, vectorscan 5.4.11. * Google fiber speedtest (https://fiber.google.com/speedtest/) hitting the same server. * Snort rules contained 39,801 rules/22 MB. * In all cases, single core CPU saturation occurred which speaks to the efficiency gains supplied by vectorscan. Build system: x86/64 Build-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B Run-tested: flogic/glinet_gl-mt6000, bcm2712/RPi5B Co-authored-by: Tianling Shen <[email protected]> Co-authored-by: Jeffery To <[email protected]> Signed-off-by: John Audia <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.