New package: crowdsec-firewall-bouncer (v0.0.34)
- Based on official OpenWrt package from openwrt/packages
- Full nftables integration with IPv4/IPv6 support
- Timeout-based sets for automatic ban expiration
- Input and forward chain filtering
- Interface-based filtering
- procd service management with ujail support
- UCI configuration
Init script features:
- Creates nftables tables: crowdsec (IPv4), crowdsec6 (IPv6)
- Creates timeout-enabled sets for blocklists
- Generates YAML config from UCI settings
- Automatic cleanup on service stop
Updated secubox-app-crowdsec-bouncer to v0.0.32
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New features:
- New RPCD method: acquisition_metrics for detailed stats
- Realtime metrics display with 10-second polling
- Visual stat cards: lines read, parsed, unparsed, buckets
- Parse rate progress bar with color coding
- Active acquisition sources badges
- Rate calculation (events/sec) between polls
- Live update indicator with timestamp
API changes:
- Added getAcquisitionMetrics() to API layer
- Added acquisition_metrics to ACL permissions
Bumped version to 0.7.0-17
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OpenWrt uses logd by default which doesn't write to files.
CrowdSec file-based acquisition needs /var/log/messages to exist.
Changes:
- Init script: setup_syslog() configures log_file before each start
- Defaults script: setup_syslog_file() configures at install time
- openwrt-syslog.yaml: Remove non-existent /var/log/syslog reference
The init script sets:
uci set system.@system[0].log_file='/var/log/messages'
uci set system.@system[0].log_size='512'
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Native OpenWrt package for zstandard compression library.
Can be used as alternative to pip installation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The zstandard package required by mitmproxy 8.1.1 doesn't have musllinux
wheels in older versions, causing pip to try compiling from source which
fails without gcc on the router.
Fix: Pre-install zstandard 0.23.0 which has musllinux aarch64 wheels
before installing mitmproxy.
Changes:
- Bump version to 2.1.0
- Revert to pip-based installation (native build requires full toolchain)
- Add zstandard 0.23.0 pre-install step in postinst
- Restore wrapper scripts for mitmproxy/mitmdump/mitmweb
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add OpenWrt .config for mvebu/cortexa72 target
- Update .gitignore
- Update Claude settings
- Minor portal.js update
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 9.x requires mitmproxy-wireguard (Rust).
Version 8.1.1 is pure Python and works on OpenWrt.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.x requires mitmproxy-rs which needs Rust compiler.
Version 9.0.1 is pure Python and works on OpenWrt.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
LuCI requires modules to use baseclass.extend() pattern.
Fixed "factory yields invalid constructor" error.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Portal Integration:
- Add mitmproxy to Security section with service status tracking
- Add vhost-manager to new Services section
- Add Services section to portal navigation header
- Update path detection for security/mitmproxy and services/vhosts
mitmproxy Changes:
- Move menu from admin/secubox/mitmproxy to admin/secubox/security/mitmproxy
- Update view navigation links to use new path structure
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 11.x requires Python 3.12 which is not available on OpenWrt.
Version 10.4.2 is the last stable release supporting Python 3.10+.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Switch to runtime pip installation instead of build-time
- Remove complex build dependencies (python3-package.mk)
- Add wrapper scripts for mitmproxy, mitmdump, mitmweb
- Postinst installs mitmproxy==11.1.3 via pip on device
- Supports all architectures with PKGARCH:=all
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update mitmproxy to v11.1.3
- Build from Python source (no prebuilt arm64 binaries)
- Add Python dependencies
- Add mitmproxy to local-build.sh and sync-openwrt-packages.sh
- Set PKGARCH:=all for Python package
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages for full URL/cookie/header capture via MITM proxy:
secubox-app-mitmproxy:
- Downloads mitmproxy v11.1.2 binary for aarch64
- Transparent proxy mode with iptables integration
- mitmweb UI on port 8081
- Auto CA certificate generation
- mitmproxyctl CLI management tool
luci-app-mitmproxy:
- SecuBox themed dashboard with red color scheme
- Real-time request capture view
- Top hosts statistics
- CA certificate management
- Full UCI settings interface
- RPCD backend for ubus API
This enables full HTTP/HTTPS inspection including:
- Complete URLs (not just hostnames like nDPId)
- Cookies and headers
- Request/response bodies
- Flow recording for replay
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OpenWrt jq is compiled without ONIGURUMA regex library, so test()
function doesn't work. Replace all regex patterns with contains()
for streaming service detection.
- Use ascii_downcase + contains() for pattern matching
- Define is_streaming, get_category, get_quality as jq functions
- Detects: YouTube, Netflix, Spotify, WhatsApp, Discord, Zoom, etc.
- Bump version to 0.6.2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove PKG_FILE_MODES that caused chown build errors
- Add missing $(eval $(call BuildPackage)) macro
- Add explicit install rules for all resources
- Bump version to 0.6.1
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Portal (luci-app-secubox-portal):
- Fix service status showing 0/9 by checking if init scripts exist
- Only count installed services in status display
- Use pgrep fallback when init script status fails
nDPId Dashboard (luci-app-ndpid):
- Add default /etc/config/ndpid configuration
- Add /etc/init.d/ndpid-compat init script
- Enable compat service in postinst for app detection
- Fix Makefile to install init script and config
CrowdSec Dashboard:
- Add CLAUDE.md with OpenWrt-specific guidelines (pgrep without -x)
- CSS fixes for hiding LuCI left menu in all views
- LAPI repair improvements with retry logic
New Packages:
- secubox-app-crowdsec: OpenWrt-native CrowdSec package
- secubox-app-netifyd: Netifyd DPI integration
- luci-app-secubox: Core SecuBox hub
- luci-theme-secubox: Custom theme
Removed:
- luci-app-secubox-crowdsec (replaced by crowdsec-dashboard)
- secubox-crowdsec-setup (functionality moved to dashboard)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Stop CrowdSec before repair for clean state
- Create all required directories with proper permissions
- Regenerate local_api_credentials.yaml if missing
- Wait for LAPI port 8080 with retries before machine registration
- Use 30s timeout for repair operations
- Add retry logic for final LAPI verification
- Better error reporting with detailed steps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Instead of trying to parse opkg output directly, use the same
secubox-appstore list --json command that the modules page uses.
This ensures consistent installation detection across both views.
The get_appstore_apps method now:
1. Gets modules list from secubox-appstore (which properly detects installed packages)
2. Merges installation status into catalog apps
3. Returns apps with correct installed/enabled/status fields
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The app store was showing all apps as not installed because the
get_appstore_apps RPC method didn't check installation status.
Now it:
- Gets list of installed packages via opkg list-installed
- Adds 'installed: true/false' to each app based on whether
its required package is in the installed list
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Update portal.js sections to include:
- Portal (home page)
- Hub (SecuBox dashboard)
- Admin (Admin Control Panel)
- Security, Network, Monitoring, System (existing)
Update index.js to render Portal/Hub/Admin as links to separate
pages while keeping Security/Network/Monitoring/System as tabs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add portal header and dark theme styling to all Media Flow subviews:
- clients.js: Client statistics with portal header
- services.js: Service statistics with portal header
- history.js: Stream history with portal header
- alerts.js: Streaming alerts with portal header
Each view now includes:
- SecuBox global header with Hub, Admin, Security, Network, Monitoring, System navigation
- Internal Media Flow navigation (Dashboard, Clients, Services, History, Alerts)
- Consistent dark theme styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added startHeaderObserver() for continuous DOM monitoring
- Observer watches for new header elements and hides them immediately
- Added interval-based backup hiding every 100ms
- Ensures OpenWrt header stays hidden even after dynamic content loads
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Enhanced CSS selectors to hide all non-SecuBox headers
- Added visibility:hidden and height:0 for complete removal
- Added JavaScript detection for cyan/blue background headers
- Hide headers that are siblings of secubox-page-wrapper
- Target OpenWrt-specific elements like .showSide and .darkMask
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added 'Hub' link pointing to main SecuBox dashboard (luci-app-secubox)
- Added 'Admin' link pointing to Admin Control Panel (luci-app-secubox-admin)
- Updated section detection for proper active state highlighting
- Organized sections: Portal, Hub, Admin, Security, Network, Monitoring, System
- Improved path detection for all SecuBox apps and modules
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add menu entry for admin/secubox/settings in portal menu
- Update portal.js to use the shorter settings path
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change nav bar background from rgba(255,255,255,0.05) to solid #141419
- Add subtle border for visual separation
- Ensures proper dark theme appearance for navigation tabs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add internal navigation bars to nDPId (Dashboard, Flows, Settings)
- Add internal navigation bars to Netifyd (Dashboard, Flows, Devices, Applications, Settings)
- Complete dark theme CSS for Netifyd with LuCI element overrides
- Add CSS loading to all Netifyd views
- Version bumps: luci-app-ndpid 1.1.1, luci-app-secubox-netifyd 1.2.1
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add unified SecuBox header navigation to all 5 Netifyd views:
- dashboard.js, devices.js, flows.js, applications.js, settings.js
Pattern: Wrap view content with secubox-page-wrapper and prepend
SbHeader.render() to hide LuCI sidebar when in portal context.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add unified SecuBox header navigation to all 3 nDPId views:
- dashboard.js, flows.js, settings.js
Pattern: Wrap view content with secubox-page-wrapper and prepend
SbHeader.render() to hide LuCI sidebar when in portal context.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change CSS default from light to dark mode in :root selector
(System Hub common.css in both theme and app)
- Add CSS rules to hide LuCI view tabs (.cbi-tabmenu, ul.tabs, etc.)
when in SecuBox mode
- Update hideOpenWrtUI() to also hide view tabs via JavaScript
This ensures consistent dark theme styling without depending on
data-secubox-theme attribute timing, and hides LuCI's native
navigation tabs when displaying SecuBox header.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove '/overview' from the redirect path to let the menu's
firstchild action handle the navigation properly.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add unified SecuBox header navigation to all 10 System Hub views
for consistent portal integration when accessed from SecuBox Portal:
- overview.js, health.js, services.js, diagnostics.js
- logs.js, backup.js, components.js, settings.js
- dev-status.js, remote.js
Pattern: Wrap view content with secubox-page-wrapper and prepend
SbHeader.render() to hide LuCI sidebar when in portal context.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add unified SecuBox header navigation to all 12 Network Modes views
for consistent portal integration when accessed from SecuBox Portal:
- overview.js, router.js, accesspoint.js, doublenat.js
- multiwan.js, relay.js, sniffer.js, travel.js
- vpnrelay.js, dmz.js, wizard.js, settings.js
Pattern: Wrap view content with secubox-page-wrapper and prepend
SbHeader.render() to hide LuCI sidebar when in portal context.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds the unified SecuBox portal header navigation to:
- Client Guardian: overview, clients, zones, logs, alerts, parental, settings
- Media Flow: dashboard
- Netdata Dashboard: dashboard, settings
This hides the LuCI sidebar and provides consistent SecuBox navigation
across all dashboards when accessed from the SecuBox Portal.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Complete rewrite of Media Flow dashboard with modern dark theme
- Add inline CSS similar to nDPId dashboard style
- Add stats grid with flow count, stream count, service status
- Add clean cards for active streams display
- Add SecuBox header to CrowdSec overview page
- Fix sidebar visibility in CrowdSec pages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Render flow count and streaming count immediately from load() data
- No longer rely on async update after DOM insertion
- Use setTimeout fallback for periodic updates
- Fixes data not appearing on initial page load
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move updateFlowStats/updateServiceStats calls after DOM is ready
- Use requestAnimationFrame to ensure elements exist before updating
- Fixes "0 flows" display bug when data was actually available
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix notice boxes with dark theme compatible colors
- Fix flow stats section background (was white on dark)
- Fix donut chart center fill color for dark theme
- Fix progress bars and text colors throughout
- Use rgba() for semi-transparent backgrounds
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add PKG_NAME to luci-app-secubox-portal Makefile
- Add PKG_LICENSE to luci-app-zigbee2mqtt Makefile
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add recovery/reset mode to CrowdSec wizard for bouncer registration issues
- Handle existing bouncer detection with database-level cleanup fallback
- Fix Media Flow pgrep -x issue and add start/stop service ACL permissions
- Fix duplicate nav bar in CrowdSec wizard with aggressive CSS hiding
- Add shared SecuBox header component for consistent navigation
- Fix all portal app links to match actual menu.d paths
- Add UI switcher between SecuBox Portal and standard LuCI
- Hide OpenWrt header and sidebar in SecuBox mode
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
