Merge branch 'master' into docker-dep-build-validation

openwrt · Feb 14, 2025 · 178fce9 · 178fce9
2 parents 4210b17 + 4e3d784
commit 178fce9
Show file tree

Hide file tree

Showing 14 changed files with 112 additions and 53 deletions.
diff --git a/net/banip/Makefile b/net/banip/Makefile
@@ -5,8 +5,8 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=1.5.0
-PKG_RELEASE:=6
+PKG_VERSION:=1.5.1
+PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <[email protected]>
 

diff --git a/net/banip/files/README.md b/net/banip/files/README.md
@@ -86,7 +86,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
 * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget
 * Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
-* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
+* Supports an 'allowlist only' mode, this option restricts the internet access only to specific, explicitly allowed IP segments
 * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
 * Optionally always allow certain protocols/destination ports in the inbound chain
 * Deduplicate IPs accross all Sets (single IPs only, no intervals)
@@ -174,7 +174,7 @@ Available commands:
 | ban_autoblocklist       | option | 1                             | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets)      |
 | ban_autoblocksubnet     | option | 0                             | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP               |
 | ban_autoallowuplink     | option | subnet                        | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all                                     |
-| ban_allowlistonly       | option | 0                             | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments             |
+| ban_allowlistonly       | option | 0                             | restrict the internet access only to specific, explicitly allowed IP segments                                     |
 | ban_allowflag           | option | -                             | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445'          |
 | ban_allowurl            | list   | -                             | external allowlist feed URLs, one or more references to simple remote IP lists                                    |
 | ban_basedir             | option | /tmp                          | base working directory while banIP processing                                                                     |
@@ -370,7 +370,7 @@ Furthermore, you can reference external Allowlist URLs with additional IPv4 and
 Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
 
 **Allowlist-only mode**  
-banIP supports an "allowlist only" mode. This option skips all blocklists and restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world.  
+banIP supports an "allowlist only" mode. This option restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world.  
 
 **MAC/IP-binding**
 banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments or to free connected clients from outbound blocking.  

diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh
@@ -99,14 +99,13 @@ ban_debug="0"
 f_system() {
 	local cpu core
 
-	if [ -z "${ban_dev}" ]; then
-		ban_debug="$(uci_get banip global ban_debug "0")"
-		ban_cores="$(uci_get banip global ban_cores)"
-	fi
+	ban_debug="$(uci_get banip global ban_debug "0")"
+	ban_cores="$(uci_get banip global ban_cores)"
 	ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
 	ban_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')"
 	ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' |
 		"${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s %s %s",$1,$2,$3,$4,$5,$6}')"
+
 	if [ -z "${ban_cores}" ]; then
 		cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)"
 		core="$("${ban_grepcmd}" -cm1 '^core id' /proc/cpuinfo 2>/dev/null)"
@@ -608,17 +607,17 @@ f_etag() {
 # load file in nftset
 #
 f_nftload() {
-	local cnt="1" max_cnt="${ban_nftretry:-"5"}" load_rc="4" load_log="" file="${1}" errmsg="${2}"
+	local cnt="1" max_cnt="${ban_nftretry:-"5"}" load_rc="4" file="${1}" errmsg="${2}"
 
 	while [ "${load_rc}" != "0" ]; do
-		load_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
+		"${ban_nftcmd}" -f "${file}" >/dev/null 2>&1
 		load_rc="${?}"
 		if [ "${load_rc}" = "0" ]; then
 			break
 		elif [ "${cnt}" = "${max_cnt}" ]; then
 			[ ! -d "${ban_errordir}" ] && f_mkdir "${ban_errordir}"
 			"${ban_catcmd}" "${file}" 2>/dev/null >"${ban_errordir}/err.${file##*/}"
-			f_log "info" "${errmsg}, ${load_log::256}"
+			f_log "info" "${errmsg}"
 			break
 		fi
 		cnt="$((cnt + 1))"
@@ -677,7 +676,7 @@ f_nftinit() {
 		printf "%s\n" "add table inet banIP"
 		# base chains
 		#
-		printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -199; policy accept; }"
+		printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -175; policy accept; }"
 		printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
 		printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
 		printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
@@ -1737,7 +1736,12 @@ f_survey() {
 		printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::"
 		return
 	fi
-	set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')"
+
+	if [ "$(uci_get banip global ban_nftcount)" = "1" ]; then
+		set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*].elem.val')"
+	else
+		set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')"
+	fi
 	printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
 	printf "    %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")"
 	printf "    %s\n" "---"
@@ -1866,7 +1870,6 @@ fi
 #
 ban_awkcmd="$(f_cmd gawk awk)"
 ban_catcmd="$(f_cmd cat)"
-ban_fw4cmd="$(f_cmd fw4)"
 ban_grepcmd="$(f_cmd grep)"
 ban_jsoncmd="$(f_cmd jsonfilter)"
 ban_logcmd="$(f_cmd logger)"

diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh
@@ -29,10 +29,8 @@ f_rmdir "${ban_errordir}"
 
 # firewall/fw4 pre-check
 #
-if [ ! -x "${ban_fw4cmd}" ] || [ ! -x "/etc/init.d/firewall" ]; then
-	f_log "err" "firewall/fw4 not found"
-elif ! /etc/init.d/firewall status >/dev/null 2>&1; then
-	f_log "info" "firewall/fw4 is not running"
+if ! /etc/init.d/firewall status >/dev/null 2>&1; then
+	f_log "info" "the main firewall is not running"
 fi
 
 # init banIP nftables namespace
@@ -41,16 +39,14 @@ if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" list chain inet banIP pr
 	f_nftinit "${ban_tmpfile}".init.nft
 fi
 
-# handle downloads
+# start banIP processing
 #
 f_log "info" "start banIP download processes"
-if [ "${ban_allowlistonly}" = "1" ]; then
-	ban_feed=""
-else
-	f_getfeed
-fi
+f_getfeed
 [ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate"
 
+# handle downloads
+#
 cnt="1"
 for feed in allowlist ${ban_feed} blocklist; do
 	# local feeds (sequential processing)

diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds
@@ -275,10 +275,12 @@
 		"descr": "tor exit nodes"
 	},
 	"turris":{
-		"url_4":"https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv",
-		"rule_4":"BEGIN{FS=\",\"}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$1}",
+		"url_4": "https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv",
+		"url_6": "https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv",
+		"rule_4": "BEGIN{FS=\",\"}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$1}",
+		"rule_6": "BEGIN{FS=\",\"}/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)/{printf \"%s,\\n\",$1}",
 		"chain": "in",
-		"descr":"turris sentinel blocklist"
+		"descr": "turris sentinel blocklist"
 	},
 	"uceprotect1":{
 		"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz",

diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init
@@ -20,13 +20,24 @@ ban_funlib="/usr/lib/banip-functions.sh"
 ban_pidfile="/var/run/banip.pid"
 ban_lock="/var/run/banip.lock"
 
-[ "${action}" = "boot" ] && "${ban_init}" running && exit 0
-{ [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
-[ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
-[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
-[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && mkdir -p "${ban_lock}"
-{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}"
-[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
+if [ -z "${IPKG_INSTROOT}" ]; then
+	if [ "${action}" = "boot" ] && "${ban_init}" running; then
+		exit 0
+	elif { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] ||
+		[ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running; then
+		exit 0
+	fi
+	if [ ! -d "${ban_lock}" ] &&
+		{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] ||
+		[ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; }; then
+		mkdir -p "${ban_lock}"	
+	elif [ -d "${ban_lock}" ] &&
+		{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] ||
+		[ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; }; then
+		exit 1
+	fi
+	. "${ban_funlib}"
+fi
 
 boot() {
 	: >"${ban_pidfile}"

diff --git a/net/ddns-scripts/Makefile b/net/ddns-scripts/Makefile
@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ddns-scripts
 PKG_VERSION:=2.8.2
-PKG_RELEASE:=61
+PKG_RELEASE:=62
 
 PKG_LICENSE:=GPL-2.0
 
@@ -362,6 +362,10 @@ define Package/ddns-scripts/install
 	$(INSTALL_DIR) $(1)/usr/bin
 	$(INSTALL_BIN) ./files/usr/bin/ddns.sh \
 		$(1)/usr/bin/ddns
+
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_DATA) ./files/etc/uci-defaults/50-ddns-migrate-retry-count \
+		$(1)/etc/uci-defaults/
 endef
 
 define Package/ddns-scripts/postinst

diff --git a/net/ddns-scripts/files/etc/uci-defaults/50-ddns-migrate-retry-count b/net/ddns-scripts/files/etc/uci-defaults/50-ddns-migrate-retry-count
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+. /lib/functions.sh
+
+upgrade_to_retry_max_count() {
+	local service=$1
+	local retry_count retry_max_count
+
+	config_get retry_max_count $service retry_max_count
+	config_get retry_count $service retry_count
+	if [ -z "$retry_max_count" ] && [ -n "$retry_count" ]; then
+		uci_set ddns $service retry_max_count $retry_count
+		uci_commit ddns
+	fi
+}
+
+config_load ddns
+config_foreach upgrade_to_retry_max_count service
+
+exit 0
diff --git a/net/ddns-scripts/files/usr/lib/ddns/update_cloudflare_com_v4.sh b/net/ddns-scripts/files/usr/lib/ddns/update_cloudflare_com_v4.sh
@@ -72,11 +72,11 @@ cloudflare_transfer() {
 		}
 
 		__CNT=$(( $__CNT + 1 ))	# increment error counter
-		# if error count > retry_count leave here
-		[ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && \
-			write_log 14 "Transfer failed after $retry_count retries"
+		# if error count > retry_max_count leave here
+		[ $retry_max_count -gt 0 -a $__CNT -gt $retry_max_count ] && \
+			write_log 14 "Transfer failed after $retry_max_count retries"
 
-		write_log 4 "Transfer failed - retry $__CNT/$retry_count in $RETRY_SECONDS seconds"
+		write_log 4 "Transfer failed - retry $__CNT/$retry_max_count in $RETRY_SECONDS seconds"
 		sleep $RETRY_SECONDS &
 		PID_SLEEP=$!
 		wait $PID_SLEEP	# enable trap-handler

diff --git a/net/ddns-scripts/files/usr/lib/ddns/update_dnspod_cn.sh b/net/ddns-scripts/files/usr/lib/ddns/update_dnspod_cn.sh
@@ -70,7 +70,7 @@ dnspod_transfer() {
 			return 1
 		fi
 		__CNT=$(($__CNT + 1))
-		[ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && write_log 14 "Transfer failed after $retry_count retries"
+		[ $retry_max_count -gt 0 -a $__CNT -gt $retry_max_count ] && write_log 14 "Transfer failed after $retry_max_count retries"
 		write_log 4 "Transfer failed - $__CNT Try again in $RETRY_SECONDS seconds"
 		sleep $RETRY_SECONDS &
 		PID_SLEEP=$!

diff --git a/net/ddns-scripts/files/usr/lib/ddns/update_godaddy_com_v1.sh b/net/ddns-scripts/files/usr/lib/ddns/update_godaddy_com_v1.sh
@@ -68,11 +68,11 @@ godaddy_transfer() {
 		}
 
 		__CNT=$(( $__CNT + 1 ))	# increment error counter
-		# if error count > retry_count leave here
-		[ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && \
-			write_log 14 "Transfer failed after $retry_count retries"
+		# if error count > retry_max_count leave here
+		[ $retry_max_count -gt 0 -a $__CNT -gt $retry_max_count ] && \
+			write_log 14 "Transfer failed after $retry_max_count retries"
 
-		write_log 4 "Transfer failed - retry $__CNT/$retry_count in $RETRY_SECONDS seconds"
+		write_log 4 "Transfer failed - retry $__CNT/$retry_max_count in $RETRY_SECONDS seconds"
 		sleep $RETRY_SECONDS &
 		PID_SLEEP=$!
 		wait $PID_SLEEP	# enable trap-handler

diff --git a/net/ddns-scripts/files/usr/lib/ddns/update_luadns_v1.sh b/net/ddns-scripts/files/usr/lib/ddns/update_luadns_v1.sh
@@ -51,11 +51,11 @@ luadns_transfer() {
 		}
 
 		__CNT=$(( $__CNT + 1 ))	# increment error counter
-		# if error count > retry_count leave here
-		[ $retry_count -gt 0 -a $__CNT -gt $retry_count ] && \
-			write_log 14 "Transfer failed after $retry_count retries"
+		# if error count > retry_max_count leave here
+		[ $retry_max_count -gt 0 -a $__CNT -gt $retry_max_count ] && \
+			write_log 14 "Transfer failed after $retry_max_count retries"
 
-		write_log 4 "Transfer failed - retry $__CNT/$retry_count in $RETRY_SECONDS seconds"
+		write_log 4 "Transfer failed - retry $__CNT/$retry_max_count in $RETRY_SECONDS seconds"
 		sleep $RETRY_SECONDS &
 		PID_SLEEP=$!
 		wait $PID_SLEEP	# enable trap-handler
@@ -112,7 +112,7 @@ if [ -n "$zone_id" ]; then
 else
 	# read zone id for registered domain.TLD
 	__RUNPROG="$__PRGBASE --request GET '$__URLBASE/zones'"
-	luadns_transfer || return 1	
+	luadns_transfer || return 1
 	# extract zone id
 	i=1
 	while : ; do

diff --git a/net/ddns-scripts/samples/ddns.config_sample b/net/ddns-scripts/samples/ddns.config_sample
@@ -271,7 +271,7 @@ config service "myddns"
 	# a network to use for communication.
 	# should use option ip_source "web" (see above)
 	# Needs GNU Wget (with SSL support) or cURL to be installed.
-	# GNU Wget will use IP address and cURL the physical device 
+	# GNU Wget will use IP address and cURL the physical device
 	# of the given network
 	# default: none
 #	option bind_network "wan7"
@@ -304,10 +304,10 @@ config service "myddns"
 
 	###########
 	# if error happen on detecting, sending or updating the
-	# script will retry the relevant action for retry_count times
+	# script will retry the relevant action for retry_max_count times
 	# before stopping script execution.
 	# default: 5
-	option retry_count '5'
+	option retry_max_count '5'
 
 	###########
 	# if error happen on detecting, sending or updating the

diff --git a/net/keepalived/files/keepalived.init b/net/keepalived/files/keepalived.init
@@ -287,6 +287,25 @@ static_routes() {
 	done
 }
 
+interface_up_down_delays() {
+	local device
+	local down_delay
+	local up_delay
+	local line
+
+	config_get device "$1" device
+	config_get down_delay "$1" down_delay
+	config_get up_delay "$1" up_delay
+
+	[ -z "$device" ] && return
+	[ -z "$down_delay" ] && return
+
+	line="${device} ${down_delay}"
+	[ -z "$up_delay" ] || line="${line} ${up_delay}"
+
+	printf '%b%s\n' "$INDENT_1" "$line" >> "$KEEPALIVED_CONF"
+}
+
 # Count 'vrrp_instance' with the given name ; called by vrrp_instance_check()
 vrrp_instance_name_count() {
 	local name
@@ -613,6 +632,10 @@ process_config() {
 	config_foreach_wrapper static_routes
 	config_section_close
 
+	config_section_open "interface_up_down_delays"
+	config_foreach_wrapper interface_up_down_delays
+	config_section_close
+
 	config_foreach_wrapper vrrp_script
 	config_foreach_wrapper bfd_instance
 	config_foreach_wrapper vrrp_sync_group