openwrt · graysky2 · Jan 28, 2025 · Feb 5, 2025 · Feb 19, 2025 · Mar 16, 2025
diff --git a/libs/gperftools/Makefile b/libs/gperftools/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gperftools
 PKG_VERSION:=2.17.2
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/gperftools/gperftools/tar.gz/$(PKG_NAME)-$(PKG_VERSION)?
@@ -21,30 +21,18 @@ PKG_FIXUP:=autoreconf
 
 include $(INCLUDE_DIR)/package.mk
 
-define Package/gperftools-headers
-  CATEGORY:=Libraries
-  SECTION:=libs
-  TITLE:=Gperftools Headers
-  URL:=https://github.com/gperftools/gperftools
-  DEPENDS:= @!(powerpc)
-endef
-
-define Package/gperftools-runtime
+define Package/gperftools
   SECTION:=libs
   CATEGORY:=Libraries
   TITLE:=Gperftools Runtime
   URL:=https://github.com/gperftools/gperftools
   DEPENDS:=+PACKAGE_libunwind:libunwind +libstdcpp @!(powerpc)
+  ABI_VERSION:=4
 endef
 
-define Package/gperftools-headers/description
-  Gperftools is a collection of a high-performance multi-threaded malloc() implementation, plus some pretty nifty performance analysis tools.
-  This package contains the headers.
-endef
-
-define Package/gperftools-runtime/description
+define Package/gperftools/description
   Gperftools is a collection of a high-performance multi-threaded malloc() implementation, plus some pretty nifty performance analysis tools.
-  This package contains the shared objects and bins.
+  This package contains the shared libraries.
 endef
 
 CONFIGURE_ARGS += \
@@ -59,14 +47,9 @@ define Build/InstallDev
 	$(CP) $(PKG_INSTALL_DIR)/usr/include/gperftools/*.h $(1)/usr/include/gperftools/
 endef
 
-define Package/gperftools-headers/install
-	$(INSTALL_DIR) $(1)/usr/include/gperftools
-	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/include/gperftools/tcmalloc.h $(1)/usr/include/gperftools
-endef
-
-define Package/gperftools-runtime/install
+define Package/gperftools/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libtcmalloc.so* $(1)/usr/lib/
 endef
-$(eval $(call BuildPackage,gperftools-headers))
-$(eval $(call BuildPackage,gperftools-runtime))
+
+$(eval $(call BuildPackage,gperftools))
diff --git a/libs/hyperscan/Makefile b/libs/hyperscan/Makefile
diff --git a/libs/hyperscan/patches/0001-CMakeLists.txt-hack-for-our-build-system.patch b/libs/hyperscan/patches/0001-CMakeLists.txt-hack-for-our-build-system.patch
diff --git a/libs/vectorscan/Makefile b/libs/vectorscan/Makefile
@@ -0,0 +1,73 @@
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=vectorscan
+PKG_VERSION:=5.4.12
+PKG_RELEASE:=2
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://codeload.github.com/VectorCamp/vectorscan/tar.gz/$(PKG_NAME)/$(PKG_VERSION)?
+PKG_HASH:=1ac4f3c038ac163973f107ac4423a6b246b181ffd97fdd371696b2517ec9b3ed
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_NAME)-$(PKG_VERSION)
+
+PKG_MAINTAINER:=John Audia <[email protected]>
+PKG_LICENSE:=BSD-3-Clause BSD-2-Clause BSL-1.0
+PKG_LICENSE_FILES:=LICENSE
+CMAKE_INSTALL:=1
+PKG_BUILD_FLAGS:=no-lto
+PKG_BUILD_DEPENDS:=ragel/host python3/host boost/host
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+# With at least version 5.4.12, Neon/ASIMD is required for Arm support
+ifeq ($(CONFIG_CPU_NEON),)
+  PKG_BUILD_FLAGS := skip
+endif
+
+CMAKE_OPTIONS += \
+	-DCMAKE_INSTALL_PREFIX=/usr \
+	-DCMAKE_INSTALL_LIBDIR=lib \
+	-DBUILD_SHARED_LIBS=ON \
+	-Wno-dev
+
+ifeq ($(CONFIG_USE_GLIBC),y)
+	CMAKE_OPTIONS += -DFAT_RUNTIME=ON -DBUILD_BENCHMARKS=ON
+else
+	CMAKE_OPTIONS += -DFAT_RUNTIME=OFF -DBUILD_BENCHMARKS=OFF
+endif
+
+define Package/vectorscan
+  SECTION:=libs
+  CATEGORY:=Libraries
+  TITLE:=Vectorscan Runtime
+  URL:=https://github.com/VectorCamp/vectorscan
+  DEPENDS:= +libstdcpp +libsqlite3 @(x86_64||aarch64)
+  ABI_VERSION:=5
+endef
+
+define Package/vectorscan/description
+  Vectorscan is a portable fork of Intel's Hyperscan, a high-performance
+  multiple regex matching library. It provides a streaming and block-based
+  regex matcher with support for large pattern sets.
+endef
+
+define Build/InstallDev
+	$(INSTALL_DIR) $(1)/usr/include/hs
+	$(INSTALL_DATA) $(PKG_INSTALL_DIR)/usr/include/hs/* $(1)/usr/include/hs/
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libhs* $(1)/usr/lib/
+	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/libhs.pc $(1)/usr/lib/pkgconfig/libhs.pc
+endef
+
+define Package/vectorscan/install
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/libhs.so* $(1)/usr/lib/
+endef
+
+$(eval $(call BuildPackage,vectorscan))
diff --git a/net/snort3/Makefile b/net/snort3/Makefile
@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=snort3
-PKG_VERSION:=3.9.5.0
-PKG_RELEASE:=5
+PKG_VERSION:=3.9.6.0
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/snort3/snort3/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=e2e36a8db2c4c26a6ff58ea58839339260319eba25d0eb901ddb7210f4fa4b4c
+PKG_HASH:=2335678bc5ff4f876dcdb6985407a5312b0f3bb470da29e2926f57f942ce3b94
 
 PKG_MAINTAINER:=W. Michael Petullo <[email protected]>, John Audia <[email protected]>
 PKG_LICENSE:=GPL-2.0-only
@@ -28,8 +28,9 @@ define Package/snort3
   DEPENDS:=+libstdcpp +libdaq3 +libdnet +libopenssl +libpcap +libpcre2 \
     +libpthread +libuuid +zlib +libhwloc +USE_MUSL:libtirpc @HAS_LUAJIT_ARCH +luajit +libatomic \
     +kmod-nft-queue +liblzma +ucode +ucode-mod-fs +ucode-mod-uci \
-    +PACKAGE_gperftools-runtime:gperftools-runtime \
-    +PACKAGE_hyperscan-runtime:hyperscan-runtime
+    +PACKAGE_gperftools:gperftools \
+    +PACKAGE_vectorscan:vectorscan
+  USERID:=snort=975:snort=975
   TITLE:=Lightweight Network Intrusion Detection System
   URL:=http://www.snort.org/
   MENU:=1
@@ -41,6 +42,14 @@ define Package/snort3/description
   and packet logging on IP networks.  It utilizes a combination of protocol
   analysis and pattern matching in order to detect anomalies, misuse and
   attacks.
+
+  Note:
+    When compiling from source, and if your target supports them, optionally
+    enable runtime dependencies for improved performance:
+      - gperftools
+      - vectorscan
+    These are not enabled by default and must be manually selected in menuconfig
+    to take advantage of their benefits.
 endef
 
 CMAKE_OPTIONS += \
@@ -57,9 +66,9 @@ CMAKE_OPTIONS += \
 	-DMAKE_TEXT_DOC:BOOL=NO \
 	-DHAVE_LIBUNWIND=OFF \
 	-DHAVE_LZMA=ON \
-	-DENABLE_TCMALLOC=$(if $(CONFIG_PACKAGE_gperftools-runtime),ON,OFF) \
-	-DENABLE_HYPERSCAN=$(if $(CONFIG_PACKAGE_vectorscan-runtime),ON,OFF) \
-	$(if $(CONFIG_PACKAGE_vectorscan-runtime),-DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs)
+	-DENABLE_TCMALLOC=$(if $(CONFIG_PACKAGE_gperftools),ON,OFF) \
+	-DENABLE_HYPERSCAN=$(if $(CONFIG_PACKAGE_vectorscan),ON,OFF) \
+	$(if $(CONFIG_PACKAGE_vectorscan),-DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs)
 
 TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/daq3
 
@@ -97,22 +106,6 @@ define Package/snort3/install
 
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/snort.config $(1)/etc/config/snort
-
-	sed \
-		-i \
-		-e "/^-- HOME_NET and EXTERNAL_NET/ i -- The values for the two variables HOME_NET and EXTERNAL_NET have been" \
-		-e "/^-- HOME_NET and EXTERNAL_NET/ i -- moved to /etc/config/snort, so do not modify them here without good" \
-		-e "/^-- HOME_NET and EXTERNAL_NET/ i -- reason.\n" \
-		-e 's/^\(HOME_NET\s\+=\)/--\1/g' \
-		-e 's/^\(EXTERNAL_NET\s\+=\)/--\1/g' \
-		$(1)/etc/snort/snort.lua
-	sed \
-		-i -e "s/^\\(RULE_PATH\\s\\+=\\).*/\\1 'rules'/g" \
-		-e "s/^\\(BUILTIN_RULE_PATH\\s\\+=\\).*/\\1 'builtin_rules'/g" \
-		-e "s/^\\(PLUGIN_RULE_PATH\\s\\+=\\).*/\\1 'so_rules'/g" \
-		-e "s/^\\(WHITE_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \
-		-e "s/^\\(BLACK_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \
-		$(1)/etc/snort/snort_defaults.lua
 endef
 
 $(eval $(call BuildPackage,snort3))
diff --git a/net/snort3/files/snort.init b/net/snort3/files/snort.init
@@ -43,6 +43,14 @@ start_service() {
 		procd_set_param env SNORT_LUA_PATH="$config_dir"
 		procd_set_param file $CONFIGFILE
 	fi
+	[ -x /sbin/ujail -a -e /etc/capabilities/snort.json ] && {
+		chown -R snort:snort "$config_dir"
+		procd_add_jail snort
+		procd_set_param capabilities /etc/capabilities/snort.json
+		procd_set_param user snort
+		procd_set_param group snort
+		procd_set_param no_new_privs 1
+	}
 	procd_set_param respawn
 	procd_set_param stdout 0
 	procd_set_param stderr 1

diff --git a/net/snort3/files/snort.json b/net/snort3/files/snort.json
@@ -0,0 +1,27 @@
+{
+	"bounding": [
+		"CAP_NET_ADMIN",
+		"CAP_NET_RAW",
+		"CAP_IPC_LOCK"
+	],
+	"effective": [
+		"CAP_NET_ADMIN",
+		"CAP_NET_RAW",
+		"CAP_IPC_LOCK"
+	],
+	"ambient": [
+		"CAP_NET_ADMIN",
+		"CAP_NET_RAW",
+		"CAP_IPC_LOCK"
+	],
+	"permitted": [
+		"CAP_NET_ADMIN",
+		"CAP_NET_RAW",
+		"CAP_IPC_LOCK"
+	],
+	"inheritable": [
+		"CAP_NET_ADMIN",
+		"CAP_NET_RAW",
+		"CAP_IPC_LOCK"
+	]
+}