From peter.mueller@link38.eu Sun Jul  1 06:49:41 2018
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] embed background image in redirect template
Date: Sun, 01 Jul 2018 07:49:10 +0200
Message-ID: <7cac879b-faef-ef9e-90f4-4fceec7d6c62@link38.eu>
In-Reply-To: <4f21dad3b82620d4b47b59fdd4c6b90288f7d283.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4228775931353222271=="

--===============4228775931353222271==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

yes, I built IPfire 2.x yesterday, and the image data were included
into /srv/web/ipfire/html/redirect-templates/legacy/template.html .

Is there anything wrong with this patch?

Best regards,
Peter M=C3=BCller

> Hey,
>=20
> On Sat, 2018-06-30 at 09:56 +0200, Peter M=C3=BCller wrote:
>> Embed the IPFire background image into the redirect template
>> directly via CSS instead of loading it from somewhere else.
>> This is necessary because of Content Security Policy (CSP) and
>> fixes #11650.
>=20
>> This patch inserts the base64 encoded image during build so
>> nothing needs to be updated twice in case background image
>> changes.
>=20
>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
>> ---
>>  html/html/redirect-templates/legacy/template.html | 7 ++++++-
>>  lfs/web-user-interface                            | 4 ++++
>>  2 files changed, 10 insertions(+), 1 deletion(-)
>=20
>> diff --git a/html/html/redirect-templates/legacy/template.html
>> b/html/html/redirect-templates/legacy/template.html
>> index b5fb61ebe..297561e3a 100644
>> --- a/html/html/redirect-templates/legacy/template.html
>> +++ b/html/html/redirect-templates/legacy/template.html
>> @@ -3,11 +3,16 @@
>>  	<head>
>>  		<meta http-equiv=3D"Content-Type" content=3D"text/html;
>> charset=3Dutf-8">=20
>>  		<title>ACCESS MESSAGE</title>
>> +		<style content=3D"text/css">
>> +			td.image {
>> +				background-image:
>> url(data:image/gif;base64,IMAGEDATAPLACEHOLDER);
>> +			}
>> +		</style>
>>  	</head>
>>  	<body>
>>  		<table width=3D"100%" height=3D'100%' border=3D"0">
>>  			<tr>
>> -				<td colspan=3D'3' width=3D'100%' height=3D'130'
>> align=3D"center" background=3D"<TMPL_VAR NAME=3D"ADDRESS">/images/backgrou=
nd.gif">
>> +				<td colspan=3D'3' width=3D'100%' height=3D'152px'
>> align=3D"center" class=3D"image">&nbsp;</td>
>>  			<tr>
>>  				<td width=3D'10%'>
>>  				<td align=3D'center' bgcolor=3D'#CC000000'
>> width=3D'80%'>
>> diff --git a/lfs/web-user-interface b/lfs/web-user-interface
>> index 0c5688252..b023cbd86 100644
>> --- a/lfs/web-user-interface
>> +++ b/lfs/web-user-interface
>> @@ -50,6 +50,10 @@ md5:
>>  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>  	@$(PREBUILD)
>=20
>> +	# Add base64 encoded background image to Squid content access page
>> +	basedata=3D"$( base64 $(DIR_SRC)/html/html/images/background.gif )"
>> +	sed -i "s/IMAGEDATAPLACEHOLDER/${basedata}/g"
>> $(DIR_SRC)/html/html/redirect-templates/legacy/template.html
>=20
> Did you actually test this?
>=20
>> +
>>  	# Copy all html/cgi-bin files
>>  	mkdir -p /srv/web/ipfire/{cgi-bin,html}
>>  	mkdir -p /var/updatecache/{download,metadata}
>=20
> -Michael
>=20

--=20
"We don't care.  We don't have to.  We're the Phone Company."


--===============4228775931353222271==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE
SnlyUkxrMlVqeUQzMTduMmdGQWxzNGEzQUFDZ2tRMlVqeUQzMTcKbjJqUEJBLytKQVdZRDRrUzN0
d1ozaHJrVjFYL2Y0VkZoRkMyeGcyQXByQmNhcWowV001VVdKNkVMbUM5b1p4bwpITm9Ta2c3Mmly
YndjcGUzRSs3UmM1c1REQVRBSDZpbnlRc1k5RWIvMlY2b1JRYUZIZjNxV3VNbFhMMkMyV1ZIClA1
Q1FIV2w0Y3AwbDhpWVBlYk4xdjlBcTJ3VnYyUi9EelRUK3llcFByZ0VJOUtzRTRmL1VzRkErV0Y4
SzNQOXgKbWdkY2hTUGNWMmwxTWN5REdSQXEyamlhVXNkbHZRelVyMHJYN2pXS054ZGZDUHFPSVFp
dFJHVEpnamJmMzU1RwpMWi9SRE80YzU5R3BielRueXN4ZTh5SEFGK1IzNUF6a085YXNRQmswamF3
QXNWTHdpVTd0b3ltakhBZlBMQkZtCmJVdEVJcEtKc25PUm9jMjMrMnRybkxNb0xMSG9kWEtOK3Jk
RVZmekl6ZUVXUUNaeHlINk0wT0tEU2o1RUU5amsKM2pmUVJnN2tya1F5UDlYUUpPL2lBMmhzUzJ1
QzF3YVl4N3QvZlgxWW1qSW5aNnJyWFlISFJHR001UkU0WE9Jdwp5Mnp0L2FGNjZIckE0b2VxM2Yw
UlBIbkxsNXNna1l5ZGI3NkdJdDUzRXBncVEySDNtWUl3YXNuaFVKY1RaRzBmCm0xWFo2UzMxWjJN
WE05ZDNkSW5IYk5iNmQyNzFMNXljY1ByMGxOTFhlZ1doYWJCQ3JPUEZ5OHFKL2VCZ1ZNbFcKc3F6
UEZQc0tkREROUHhqcW1uQXJOYmRkdVFmS0VVU0hsVk5hRndYbGpMbUlPL2xYQVdVc3FJcjRFMEtO
MXdQWQpHNUI1WVBQU0ZOcWJGaVh0VEF0SUwzV2Z2Q0N4TUF5UGlCclFVZ3FPNnhMYkozVjE4cVk9
Cj1GV05ICi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============4228775931353222271==--


From peter.mueller@link38.eu Sun Jul  1 06:51:13 2018
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: Core Update 2.12 Release Notes
Date: Sun, 01 Jul 2018 07:51:11 +0200
Message-ID: <4ac3cab4-17f3-a20a-3039-f6494db2c8b3@link38.eu>
In-Reply-To: <7c6507ee06948ee1e99dcc89a4693f6a4c2eba2d.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2464044465738507966=="

--===============2464044465738507966==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

> On Wed, 2018-06-27 at 21:37 +0200, Peter M=C3=BCller wrote:
>> Hello Michael,
>=20
>> could you add two smaller changes to the release notes of 2.12 :
>> - Firewall GUI enhancements (by Alex, make grouping of IPsec subnets possi=
ble)
>=20
>> - Pakfire key rollover finished
>=20
> This, technically, is not finished because the server still signs all files=
 with
> the old key.
>=20
> I didn't have time yet to update the scripts.
I see. Are you planning to do so before releasing the Core Update?

Best regards,
Peter M=C3=BCller
>=20
>> Thanks, and best regards,
>> Peter M=C3=BCller
>=20
>> P.S.: I hopefully will have some spare time to test this at the
>> weekend - along with a bunch of other things (rsyslog!). :-)
>=20

--=20
"We don't care.  We don't have to.  We're the Phone Company."


--===============2464044465738507966==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE
SnlyUkxrMlVqeUQzMTduMmdGQWxzNGE4OEFDZ2tRMlVqeUQzMTcKbjJpdlF3Ly9leElvalAvdEw5
YmhIR2hnMjhNMFRRYkRDbWo5M202dE1hNFZoWFFKWVE2K1pJZDhvRVdySkpjcgpxNmdHNWFrUERQ
M2hWQzk0cWtDWm1scG5ibnZ4R0cxaVlzVWM2ZWcwK2I5MXJpRHBEbjdEUlptL3JLWFR5RldzClVF
aDdNYzBlRmJwQmw2dzNPVzhBMlQvMFZDVHl6RHY5SzVtaWhtdXU3cW9aYXducyttL1ZyWmhSTXNW
b2htZEMKOVdSMG8xS3hOWmJFRmIzWWtLRVB4NlJpWklWaXJvS2FpY3lDZlpwYTVOejg5UXJkMUV0
eUE2VEN5QlgycjVjYQpwZ0dqR1BqM21FUTVsbDAzdjVSMC90dUhoOE8zKzhhcmdVMzJqWVFlejVF
VlNveE5tVjBQNzlNQ2phb2x5QmZsCmIrdVZTVEFxeEU3MUZkU0lqZVpGSFFJblJwU0o1RnRFekZ1
U1Fia1NmVzhpLzUzOThUYjQ5dExtNzV3WUJNVGQKbEcwcS9IOG1KWE5BZys2NE03d2Q3dEt3V2FP
cm9QY2diN1dxNmFJc0l3eXZSTXZaQ2g2a0VIaUFSTGNEZzFkTQptbTlDUkRRSlpaQ3lEUGpKcWhB
UVBGeWx3WGhvMTh0RFlVWWNzNGZoYzBkcmF2N1cxTmRwclJsQWtnbE1xRGhKCk54YXdzSWpCaUpu
eldmODFod2dVeGpuL1ZXS0UzM3A2eU5aNzBuVFQ4WnBsckU3RUxUbnBBdFgreGx4cTB5bDcKcm0r
bzhUdGkvWDExQUkvVnBkWUh4WWtiNi9xZkxUYUhOeCtYZ2lYeXhieCtBazAvdGxVenlZRXJsSm1G
alljLwpiNXZCRVJBcGdoTXF3dnRjQnRDa2dLVlRTemt4cWtZWGZDNXFRZ0JXZmR3VGJhendLSU09
Cj1EM1pkCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============2464044465738507966==--


From peter.mueller@link38.eu Sun Jul  1 07:00:21 2018
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: In-/Outbound firewall configuration for Tor relay
Date: Sun, 01 Jul 2018 08:00:17 +0200
Message-ID: <4d83263e-ca97-701e-be4e-4788bd4e482e@link38.eu>
In-Reply-To: <d285bf5e6b378eaed27b8c2650fdc102be5d1a5b.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0032475305325435704=="

--===============0032475305325435704==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

> On Fri, 2018-06-29 at 23:26 +0200, Peter M=C3=BCller wrote:
>> Hello,
>=20
>> while incoming firewall rules seem to work by now, there are still
>> some issues with outgoing traffic:
>=20
>> (a) Since tor runs as "nobody" (why?), allowing traffic from this
>> user is out of questions because also untrusted services like Apache
>> occupy this user.
>=20
> Everything that is non-privileged runs as this. In IPFire 3 everything has =
its
> own user.
Is there a technical reason why we did not split this up into several
users in 2.x as well? How much work would it be to change this for 2.x too?
>=20
>> (b) Filtering by PID seems the only way, but creates error messages:
>=20
>> iptables v1.4.21: unknown option "--pid-owner"
>> Try `iptables -h' or 'iptables --help' for more information.
>=20
> Did you try the updated iptables that you submitted this week?
Not yet. It might be possible that "--pid-owner" is implemented there,
as it does not appear in the documentation for 1.4.x .

Either way, filtering by PID has some disadvantages:
(a) Every time a process changes its PID, we need to reload firewall.local.
(What do we do with forks anyway?) Since PIDs may not be unique on Linux
systems, some other program could obtain these network privileges.

(b) The initscript of Tor needs to be patched in order to reload firewall.loc=
al .
During boot sequence, things are loaded the other way round, so the PID
cannot be determined. A dedicated user would help here a lot.

At the moment, running a relay on an ARM board in the local DMZ seems to
be a more elegant way. However, on systems with any outbound connection allow=
ed
(which I _strongly_ advise against), this is not a pity since inbound connect=
ions
can be handled even by using the WebUI.

Best regards,
Peter M=C3=BCller
>=20
>> In firewall.local, this rule is currently placed:
>=20
>> iptables -A CUSTOMOUTPUT -o ppp0 -m owner --pid-owner $TORPID -p tcp -d
>> 0.0.0.0/0 -j ACCEPT
>=20
>> Besides from making things more easy in the future (development ;-) ),
>> is "--pid-owner" even supported by iptables running here? Or does it
>> require some special module?
>=20
> Not that I am aware of.
>=20
> -Michael
>=20
>=20
>> Best regards,
>> Peter M=C3=BCller
>=20
>> Am 28.06.2018 um 19:14 schrieb Peter M=C3=BCller:
>>> Hello Michael,
>>>
>>> thanks for the clarification.
>>>
>>>> Hello,
>>>>
>>>> On Wed, 2018-06-27 at 22:53 +0200, Peter M=C3=BCller wrote:
>>>>> Hello,
>>>>> for quite some time, IPFire includes Tor via Pakfire as an add-on.
>>>>> Trying to set up a Tor relay there, I stumbled into several problems
>>>>> regarding firewall rule configuration:
>>>>> (a) Inbound
>>>>> It turns out that Tor is not working correctly if GeoIP block is
>>>>> active (this occurred after a reboot - strange). Of course, one
>>>>> possibility is to disable GeoIP block at all, allow access to the
>>>>> Tor relay ports, and deny any except those of legitimate countries
>>>>> to other services on the firewall machine.
>>>>
>>>> You can use the normal firewall rules for a more granular configuration.
>>>>
>>>> The geoip filter comes first and then all the rest. Depending on how many
>>>> countries you block here, Tor connectivity becomes a little bit useless.
>>>
>>> Indeed. And I block many... :-)
>>>>
>>>>> Since this enlarges the ruleset (already quite complex here :-| ),
>>>>> I am wondering if there is a more simple way to achieve this.
>>>>
>>>> We could move tor rules before the GeoIP filter, but I am not sure if th=
at
>>>> is
>>>> very intuitive.
>>>
>>> I do not think so since users may expect anything is blocked then and
>>> wonder why Tor still works fine. We should keep firewall things intention=
al
>>> in order not to puzzle users.
>>>
>>> OK, incoming way is solved then.
>>>>
>>>>> (b) Outbound
>>>>> For security reasons (surprise!), outgoing connections are heavily
>>>>> limited here - only DNS, NTP and web traffic is allowed, and only
>>>>> to a certain list of countries. Some call that "racist routing"...
>>>>> This does not work with Tor since it needs to open connections to
>>>>> almost any port on almost any IP address. Allowing outbound traffic
>>>>> in general is out of question, so there seems to possibility left.
>>>>> Besides from running a Tor relay in the local DMZ and apply the
>>>>> firewall rules for this machine, is there another way?
>>>>
>>>> Not that I am aware of.
>>>>
>>>> You can build something custom here by using the -m owner module of
>>>> iptables and
>>>> make an exception in the OUTPUT chain for the tor process. You just need=
 a
>>>> little script that puts the pid into it if you cannot check by uid.
>>>
>>> Hm, I never used the "owner" module before...
>>>
>>> I guess these custom firewall will need to be placed in "firewall.local"
>>> (https://wiki.ipfire.org/configuration/firewall/firewall.local)? According
>>> to the firewall processing scheme
>>> (https://wiki.ipfire.org/_media/configuration/firewall/ipfire_fw_chains.j=
pg)
>>> ,
>>> it is processed before anything else, so this would suit.
>>>
>>> Will test this and get back if problems occur.
>>>>
>>>
>>> Best regards,
>>> Peter M=C3=BCller
>>>
>=20
>=20
>=20

--=20
"We don't care.  We don't have to.  We're the Phone Company."


--===============0032475305325435704==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE
SnlyUkxrMlVqeUQzMTduMmdGQWxzNGJmRUFDZ2tRMlVqeUQzMTcKbjJoalNBLy9SR0s1TW1Dc1ox
cTN0UFdwQjJFVEVsaEVPTDFYUzdmNHNqK2toQjJiWlA4SmtDb3ZGbklBQWRaVQp2WG1qMXBIQkpC
ZTkrQmQ0K2QrbzU5WXVjRy9wbVNWOUd3YU9weTJqVmZDN3JFT2h1emVsVEtyZ0VPV3BXTERXCjJ1
VitUYk1WSDdlTnpIZHp4RmU5UWNZL3ZrRHNpdWF5YUJkUmdTdWE0am5YSWRublV5UHZIRFdNZXRB
eVlTZDEKT0NoMkFEeVdNSTZhY3BRQTlOeGZoak5kb25KRnl3L2pZNEJObHdKRG4rT2dENVlWMnZh
ZXNmRWZvNDFBU3A1WAppWVd3NUZNcEhhZGhEZzVXUWJVT1pjeFgwMnorK1VmVFpSTmVtc1VXZEQv
cmNmWVd6UlgwR3hyOU1ZTWxvejBWCjd5d3c5MEE4ZVZzclhyNTdUWkZDNURlS216NG9NWCt0TUJv
UTMxMDI3cXk0MUtyeGNka2h4SW5yTG1kZDhWdFkKdUQvcHZlekpiVEtMMnJtQ0xOTDg5dWpJSHNL
MysvSVF1SkpjY0NJcE9lV0ZldkloZzBGOEQyY09UWGNKRHJhbQpuOW12dzY0a25TblBJeGxpdFNV
SlF0anh6ZDFkWWtDWWRvUDFHdmpBYkNLN0N2OXhESkFZMk1Ed0dHemVrOExlCmV1Z2lnN2Y3Q2N5
U25Gc1VDNmI0SHRMRFlNUm1LV0N2dG5WWEQ3NkgwTGxqY0pNOXZGR0VYR1RSL2hiU04zZjMKc1Ew
dExZdGN4SlRtVHVIQllMeGNabXBFOEVRR042ZFhvTkZiRGc5S3hzZmtNeUljblpUVEhGbmlGTnhw
WlF4RgpZdVE0RFphKzE3Q3c2cHFaS0pCRGlRTnFJeFgxS3R0cndzbmVHMlNmRmpKbEYwWnNGbHM9
Cj03WVFQCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============0032475305325435704==--


From peter.mueller@link38.eu Sun Jul  1 07:11:04 2018
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: [PATCH] libsrtp: update to 2.2.0
Date: Sun, 01 Jul 2018 08:11:02 +0200
Message-ID: <d557feb3-a40d-3c50-a464-e0b447dc5675@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7373181951778079689=="

--===============7373181951778079689==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This fixes a number of bugs and security issues.

Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
---
 config/rootfiles/packages/libsrtp | 49 +++++++------------------------------=
--
 lfs/libsrtp                       |  6 ++---
 2 files changed, 11 insertions(+), 44 deletions(-)

diff --git a/config/rootfiles/packages/libsrtp b/config/rootfiles/packages/li=
bsrtp
index 3ee2e3b64..d033c34a6 100644
--- a/config/rootfiles/packages/libsrtp
+++ b/config/rootfiles/packages/libsrtp
@@ -1,41 +1,8 @@
-#usr/include/srtp
-#usr/include/srtp/aes.h
-#usr/include/srtp/aes_cbc.h
-#usr/include/srtp/aes_gcm_ossl.h
-#usr/include/srtp/aes_icm.h
-#usr/include/srtp/aes_icm_ossl.h
-#usr/include/srtp/alloc.h
-#usr/include/srtp/auth.h
-#usr/include/srtp/cipher.h
-#usr/include/srtp/config.h
-#usr/include/srtp/crypto.h
-#usr/include/srtp/crypto_kernel.h
-#usr/include/srtp/crypto_math.h
-#usr/include/srtp/crypto_types.h
-#usr/include/srtp/cryptoalg.h
-#usr/include/srtp/datatypes.h
-#usr/include/srtp/ekt.h
-#usr/include/srtp/err.h
-#usr/include/srtp/getopt_s.h
-#usr/include/srtp/gf2_8.h
-#usr/include/srtp/hmac.h
-#usr/include/srtp/integers.h
-#usr/include/srtp/kernel_compat.h
-#usr/include/srtp/key.h
-#usr/include/srtp/null_auth.h
-#usr/include/srtp/null_cipher.h
-#usr/include/srtp/prng.h
-#usr/include/srtp/rand_source.h
-#usr/include/srtp/rdb.h
-#usr/include/srtp/rdbx.h
-#usr/include/srtp/rtp.h
-#usr/include/srtp/rtp_priv.h
-#usr/include/srtp/sha1.h
-#usr/include/srtp/srtp.h
-#usr/include/srtp/srtp_priv.h
-#usr/include/srtp/stat.h
-#usr/include/srtp/ut_sim.h
-#usr/include/srtp/xfm.h
-usr/lib/libsrtp.so
-usr/lib/libsrtp.so.1
-#usr/lib/pkgconfig/libsrtp.pc
+#usr/include/srtp2
+#usr/include/srtp2/auth.h
+#usr/include/srtp2/cipher.h
+#usr/include/srtp2/crypto_types.h
+#usr/include/srtp2/srtp.h
+usr/lib/libsrtp2.so
+usr/lib/libsrtp2.so.1
+#usr/lib/pkgconfig/libsrtp2.pc
diff --git a/lfs/libsrtp b/lfs/libsrtp
index d72a240ec..9fafb3606 100644
--- a/lfs/libsrtp
+++ b/lfs/libsrtp
@@ -24,14 +24,14 @@
=20
 include Config
=20
-VER        =3D 1.5.4
+VER        =3D 2.2.0
 THISAPP    =3D libsrtp-$(VER)
 DL_FILE    =3D $(THISAPP).tar.gz
 DL_FROM    =3D $(URL_IPFIRE)
 DIR_APP    =3D $(DIR_SRC)/$(THISAPP)
 TARGET     =3D $(DIR_INFO)/$(THISAPP)
 PROG       =3D libsrtp
-PAK_VER    =3D 3
+PAK_VER    =3D 4
=20
 DEPS       =3D ""
=20
@@ -43,7 +43,7 @@ objects =3D $(DL_FILE)
=20
 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
=20
-$(DL_FILE)_MD5 =3D 64a9580f86a9c3e1c4986e944e6a5a84
+$(DL_FILE)_MD5 =3D f77a27457d219f2991ea7aa2f0c11ec9
=20
 install : $(TARGET)
=20
--=20
2.16.4


--===============7373181951778079689==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE
SnlyUkxrMlVqeUQzMTduMmdGQWxzNGNIWUFDZ2tRMlVqeUQzMTcKbjJnV3pnLytNcUMwZlE2MVli
aithME5nS0t6TkFsdUpUZVR0VHl0djNjTTV4b1YvV2ZJbmtvK0RWVi8rcXZRbApMTk9reFpKd3px
Ujl6c0xGN3AxNWlnc2FILzU3R3dsSUY5aWJMUW5QWGx0MUZFaVVMa1VJME9yTU9aVFhBRXdWCmVi
OEZIWWkySXpQNmc4Mng1S2IzaGY5bkZPZmtqVlk4QU9QZVBNSkd4OHFsbytiWGZ2cC9yam44Q3pw
RzdBMGIKK3RobFkxZEFORUZobHdGSEV2Y3k2SDdYSjUrbnptU0krS3BVNER1bkhGeW1ob2czd2t0
Mk1yQTFhT0hia3MvWgovUGorY0toZ0M3YXhQcnd6VFo4dmNCNFRNRlNteEkvb0kwQ2YyWHV3MWVa
UTQ5dTlVdlU3dTlVRXNkb2x0dmFNCmtWSGdTRE1UTHJ6eGFJdGJtMStnZm1OM0VlMHU5TEo2OUhI
RUQ2UzBQOFR0VUpFekZaeGtxSXQ4TXBSKzl0WWkKKzZNR2l6UTh1Q2d2UE8vSEpiTy9DT0JkaXBk
WmZjQXA0aHd1LzVscVR2UlRZSElvOVpnM2Y0NkNwN0N0WXAxOQpINVRFZ00ycFJkb3A0TFlyUkFM
NS9JWC9jYWFUekZNQ3NnUUlwaDhINjFwaGx1MzBEMUJTczVEa05BUkk1bGpoClovdkQ4SGE1WVZ4
RE5RdUthSmhvaS9hWVpra01YOXorQzFnTytvOWdvbVExRWRqdUF4cElhNThNWkYrNEFabjAKWUg5
TThZay9kQkR2cU5lV0hlLzBJN3hXR0U2bTg1WEFHYk1rMk5WSGZJRkNrUHBLdXl2aGdOazU1clZB
TmVBRApSNkhBWDY3cjBRU0s1YnRtQkhJdEZYa3lQKzRFWWZmSWhUekhsUExEV2F6RFFDQkR2b1U9
Cj1pVjg3Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============7373181951778079689==--


From michael.tremer@ipfire.org Sun Jul  1 10:36:51 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] embed background image in redirect template
Date: Sun, 01 Jul 2018 10:36:48 +0100
Message-ID: <62c066635c2dabc0643f405e3a1b22520bd4c870.camel@ipfire.org>
In-Reply-To: <7cac879b-faef-ef9e-90f4-4fceec7d6c62@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2088154480027926634=="

--===============2088154480027926634==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

On Sun, 2018-07-01 at 07:49 +0200, Peter M=C3=BCller wrote:
> Hello Michael,
>=20
> yes, I built IPfire 2.x yesterday, and the image data were included
> into /srv/web/ipfire/html/redirect-templates/legacy/template.html .
>=20
> Is there anything wrong with this patch?

Yes, see below...

> Best regards,
> Peter M=C3=BCller
>=20
> > Hey,
> >=20
> > On Sat, 2018-06-30 at 09:56 +0200, Peter M=C3=BCller wrote:
> > > Embed the IPFire background image into the redirect template
> > > directly via CSS instead of loading it from somewhere else.
> > > This is necessary because of Content Security Policy (CSP) and
> > > fixes #11650.
> > > This patch inserts the base64 encoded image during build so
> > > nothing needs to be updated twice in case background image
> > > changes.
> > > Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> > > ---
> > >  html/html/redirect-templates/legacy/template.html | 7 ++++++-
> > >  lfs/web-user-interface                            | 4 ++++
> > >  2 files changed, 10 insertions(+), 1 deletion(-)
> > > diff --git a/html/html/redirect-templates/legacy/template.html
> > > b/html/html/redirect-templates/legacy/template.html
> > > index b5fb61ebe..297561e3a 100644
> > > --- a/html/html/redirect-templates/legacy/template.html
> > > +++ b/html/html/redirect-templates/legacy/template.html
> > > @@ -3,11 +3,16 @@
> > >  	<head>
> > >  		<meta http-equiv=3D"Content-Type" content=3D"text/html;
> > > charset=3Dutf-8">=20
> > >  		<title>ACCESS MESSAGE</title>
> > > +		<style content=3D"text/css">
> > > +			td.image {
> > > +				background-image:
> > > url(data:image/gif;base64,IMAGEDATAPLACEHOLDER);
> > > +			}
> > > +		</style>
> > >  	</head>
> > >  	<body>
> > >  		<table width=3D"100%" height=3D'100%' border=3D"0">
> > >  			<tr>
> > > -				<td colspan=3D'3' width=3D'100%' height=3D'130'
> > > align=3D"center" background=3D"<TMPL_VAR
> > > NAME=3D"ADDRESS">/images/background.gif">
> > > +				<td colspan=3D'3' width=3D'100%'
> > > height=3D'152px'
> > > align=3D"center" class=3D"image">&nbsp;</td>
> > >  			<tr>
> > >  				<td width=3D'10%'>
> > >  				<td align=3D'center' bgcolor=3D'#CC000000'
> > > width=3D'80%'>
> > > diff --git a/lfs/web-user-interface b/lfs/web-user-interface
> > > index 0c5688252..b023cbd86 100644
> > > --- a/lfs/web-user-interface
> > > +++ b/lfs/web-user-interface
> > > @@ -50,6 +50,10 @@ md5:
> > >  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > >  	@$(PREBUILD)
> > > +	# Add base64 encoded background image to Squid content access
> > > page
> > > +	basedata=3D"$( base64 $(DIR_SRC)/html/html/images/background.gif )"
> > > +	sed -i "s/IMAGEDATAPLACEHOLDER/${basedata}/g"
> > > $(DIR_SRC)/html/html/redirect-templates/legacy/template.html

This isn't a shell script. It is make in which every line invokes a new shell.
Therefore the variable assignment happens in one shell and then the next line=
 in
executed in a new one which knows nothing about the previous variable
assignment.

You will have an empty image in the result file I think.

- -Michael

> >=20
> > Did you actually test this?
> >=20
> > > +
> > >  	# Copy all html/cgi-bin files
> > >  	mkdir -p /srv/web/ipfire/{cgi-bin,html}
> > >  	mkdir -p /var/updatecache/{download,metadata}
> >=20
> > -Michael
> >=20
>=20
>=20
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAls4oLEACgkQgHnw/2+Q
CQeJPA//TaqkNL0v9LL6IHEdI2hgHi64CjySvcDvdl3OjCw0oB5EEU5NivgI2jne
Wbdlgq6GwJdZaMAUP753MQVCFznO29RSSwKxo9wlCaqMnYxmPe0f83WepWV4c7dL
Fo8CplgYDdRk24wI7p68Gmexg2ZJj83IYHNTLQhqCI23WVhKtjiXQu0hRen/rreW
KVoz/xqmjge2a34MhGOlbx7ZKDK0qzvpQC3ZmNgDn9BEOHHBdaxPal6b0NbyyaAu
rNssQxhf5gAWGWvqCnKSf+hDgAckhpS5O6yvKp3SzlDvq2YSfVsAWSpTlAv4L/JY
gGXRsd0cu9JMjLWD2gafCJ2cPHTZAYDo9Ll+NLIUi0deHTKPIsc+8XeL6U2z51qE
SoWUtE0RI9Qbz80r7N/EDOVc6mIMJ1dxCQdEA2M+JDyBKyZOJRfpxG3Hf0k+JxxD
N/V/u5IXxgb8CVOGQ99pPYVqI7qDVcP4eGjB49p32UxAplxg4z+d0E6JAYUjyjET
uhlHUv9T/vlp8bt+GZTTyInTu/5qF5JWxeL78EIgcM868BnxI4S1Fq222P9suTy5
G9rxLK6Omf2I/YhLi9aTdjY358Qh6MUuxT0GCpr6FJFM+XnYnymsvACNM68Cji5s
MNhDre+R68qb9KOcWv5kAi4lOH6sQaimzXSDalZ0QnWV1m+2ch8=3D
=3D31DP
-----END PGP SIGNATURE-----


--===============2088154480027926634==--


From michael.tremer@ipfire.org Sun Jul  1 10:37:24 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] libsrtp: update to 2.2.0
Date: Sun, 01 Jul 2018 10:37:23 +0100
Message-ID: <6c4a2c756f08971a67fa3a6f2f25846b2797c0ba.camel@ipfire.org>
In-Reply-To: <d557feb3-a40d-3c50-a464-e0b447dc5675@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8601792143198904062=="

--===============8601792143198904062==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Is asterisk compatible with the new version?

- -Michael

On Sun, 2018-07-01 at 08:11 +0200, Peter M=C3=BCller wrote:
> This fixes a number of bugs and security issues.
>=20
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> ---
>  config/rootfiles/packages/libsrtp | 49 +++++++----------------------------=
---
> -
>  lfs/libsrtp                       |  6 ++---
>  2 files changed, 11 insertions(+), 44 deletions(-)
>=20
> diff --git a/config/rootfiles/packages/libsrtp
> b/config/rootfiles/packages/libsrtp
> index 3ee2e3b64..d033c34a6 100644
> --- a/config/rootfiles/packages/libsrtp
> +++ b/config/rootfiles/packages/libsrtp
> @@ -1,41 +1,8 @@
> -#usr/include/srtp
> -#usr/include/srtp/aes.h
> -#usr/include/srtp/aes_cbc.h
> -#usr/include/srtp/aes_gcm_ossl.h
> -#usr/include/srtp/aes_icm.h
> -#usr/include/srtp/aes_icm_ossl.h
> -#usr/include/srtp/alloc.h
> -#usr/include/srtp/auth.h
> -#usr/include/srtp/cipher.h
> -#usr/include/srtp/config.h
> -#usr/include/srtp/crypto.h
> -#usr/include/srtp/crypto_kernel.h
> -#usr/include/srtp/crypto_math.h
> -#usr/include/srtp/crypto_types.h
> -#usr/include/srtp/cryptoalg.h
> -#usr/include/srtp/datatypes.h
> -#usr/include/srtp/ekt.h
> -#usr/include/srtp/err.h
> -#usr/include/srtp/getopt_s.h
> -#usr/include/srtp/gf2_8.h
> -#usr/include/srtp/hmac.h
> -#usr/include/srtp/integers.h
> -#usr/include/srtp/kernel_compat.h
> -#usr/include/srtp/key.h
> -#usr/include/srtp/null_auth.h
> -#usr/include/srtp/null_cipher.h
> -#usr/include/srtp/prng.h
> -#usr/include/srtp/rand_source.h
> -#usr/include/srtp/rdb.h
> -#usr/include/srtp/rdbx.h
> -#usr/include/srtp/rtp.h
> -#usr/include/srtp/rtp_priv.h
> -#usr/include/srtp/sha1.h
> -#usr/include/srtp/srtp.h
> -#usr/include/srtp/srtp_priv.h
> -#usr/include/srtp/stat.h
> -#usr/include/srtp/ut_sim.h
> -#usr/include/srtp/xfm.h
> -usr/lib/libsrtp.so
> -usr/lib/libsrtp.so.1
> -#usr/lib/pkgconfig/libsrtp.pc
> +#usr/include/srtp2
> +#usr/include/srtp2/auth.h
> +#usr/include/srtp2/cipher.h
> +#usr/include/srtp2/crypto_types.h
> +#usr/include/srtp2/srtp.h
> +usr/lib/libsrtp2.so
> +usr/lib/libsrtp2.so.1
> +#usr/lib/pkgconfig/libsrtp2.pc
> diff --git a/lfs/libsrtp b/lfs/libsrtp
> index d72a240ec..9fafb3606 100644
> --- a/lfs/libsrtp
> +++ b/lfs/libsrtp
> @@ -24,14 +24,14 @@
> =20
>  include Config
> =20
> -VER        =3D 1.5.4
> +VER        =3D 2.2.0
>  THISAPP    =3D libsrtp-$(VER)
>  DL_FILE    =3D $(THISAPP).tar.gz
>  DL_FROM    =3D $(URL_IPFIRE)
>  DIR_APP    =3D $(DIR_SRC)/$(THISAPP)
>  TARGET     =3D $(DIR_INFO)/$(THISAPP)
>  PROG       =3D libsrtp
> -PAK_VER    =3D 3
> +PAK_VER    =3D 4
> =20
>  DEPS       =3D ""
> =20
> @@ -43,7 +43,7 @@ objects =3D $(DL_FILE)
> =20
>  $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
> =20
> -$(DL_FILE)_MD5 =3D 64a9580f86a9c3e1c4986e944e6a5a84
> +$(DL_FILE)_MD5 =3D f77a27457d219f2991ea7aa2f0c11ec9
> =20
>  install : $(TARGET)
> =20
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAls4oNMACgkQgHnw/2+Q
CQfX0g//UG+4P7pOtFHIQcPFOALJrI4cCrtbwr6omHOWxCMYUIn5FXs59llCXuwW
ZfsVy7GqzSWd8/yVL8TYTkM2vR2/j3HO9OCjwO7bvbyJrxTC28H32Q3laePCaPIB
sVC2LKYT25nUrLi4+28NT+zzs6bt8EOuI7d4E9wliVHlZYCwhUnbPCRYWFedPTkW
nLUp1OA5y2jLCjfFMDM/GS4WIYkG8fem4i2fMC98rcFvBYh2ai9smoUsMv3FAiXF
upuXqmXokf3kOUvnREkFTnq8iyXFP0mP/KAjqaH+QVphzW/W3yLhKEF+UktcxfBf
tbsKZieGz6ybhdA4G51VgRKmpsr/05in70uPWEMnGR9z15y6QfYIkgJMdjom0980
NOubGGFl+HESKZpGiSvEnmX+ntfykXWMjRjsmaZmewkWANQMHVXYgWGYdbDJCiz2
UYFB0eTOm0zYgs8gpkNPl3qsYtQZrjEqHs88S+ToOhxkKHdPw8u5Y1jVZ7S7rEni
ptCbn+zaQB47yfFl1pN6rgp07We7F5rMEv5jmR9JyCmnE+LYO5UgEjjtdA6YVEz5
bFqCak3SL6gT43DcBN0oUt8Ivguf0SQ3BKpC+wCMNsjp3p9j/mvUR0A0CF7nrKAE
DBuuwIQUUfOz3ztZZHCJyBs6OmXzXYwCHeyjTvumNQZkfnjdTAI=3D
=3DQHhN
-----END PGP SIGNATURE-----


--===============8601792143198904062==--


From michael.tremer@ipfire.org Sun Jul  1 10:38:04 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Core Update 2.12 Release Notes
Date: Sun, 01 Jul 2018 10:38:03 +0100
Message-ID: <75a2f4b9f0ccdc34b949a5069590e01c361e61ea.camel@ipfire.org>
In-Reply-To: <4ac3cab4-17f3-a20a-3039-f6494db2c8b3@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9024770554610713001=="

--===============9024770554610713001==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Sun, 2018-07-01 at 07:51 +0200, Peter M=C3=BCller wrote:
> Hello,
>=20
> > On Wed, 2018-06-27 at 21:37 +0200, Peter M=C3=BCller wrote:
> > > Hello Michael,
> > > could you add two smaller changes to the release notes of 2.12 :
> > > - Firewall GUI enhancements (by Alex, make grouping of IPsec subnets
> > > possible)
> > > - Pakfire key rollover finished
> >=20
> > This, technically, is not finished because the server still signs all fil=
es
> > with
> > the old key.
> >=20
> > I didn't have time yet to update the scripts.
>=20
> I see. Are you planning to do so before releasing the Core Update?

I was, but cannot guarantee it since I have a lot of stuff going on at the
moment.

- -Michael

>=20
> Best regards,
> Peter M=C3=BCller
> >=20
> > > Thanks, and best regards,
> > > Peter M=C3=BCller
> > > P.S.: I hopefully will have some spare time to test this at the
> > > weekend - along with a bunch of other things (rsyslog!). :-)
>=20
>=20
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAls4oPsACgkQgHnw/2+Q
CQeHFQ//bV4e66SaqA5G65cVzow1XIgCPVLPJyX4zbPMWXImKahxurD4r31HBBEQ
AXyGQOpgofrAbb6V/8YhdOVCt5lv1D0MUI0uBPmboMOtvWx9RZA9fRlzaWyP6Z4R
PxtSsizW87QPY90STs0a9cofhB+YLD5/BilrhCCkyfBnUZNnYCMuC4p/XTl1U7Jo
IE8Lr5jUUtqoS6kQIM5GaPe3TU0By57UgbyRkPG/UWMtshqKIYGdb8uyaUiljDNg
YQ2vaSsqFrMDGPH5fj8KMkBTNuIsHiq+fFa8UgKT4HVBNWSnTj/zV7H4ML4ha9fG
eDg/ObUxmQsMDSg08L9XRyYQ+fDxNonlvPYSjh2ApCX3eSuID9NE1Fg9RVGl47dz
eB0DaOl5CbAdqAnUIAW+c8Dd4gZLxvQRi/yMXxitiFh2vHTqfr7MK6uMjZdrTAs8
3aKsPCn+UiNXE5cFHBioG5sZv/fnsa09bXrwS/u2JPg0xRmB3TMzZfkrEonMdDxv
scNF16sJZLxNsglFh9/Pj8H8klCHqvQI7/bcNf+qrTesy3NY+3B3+jO7PxUDfoCr
v4Tkg7aV7f0oiqIzukGnoGTzaiNJ7wlBnnve4P+g+CXmWoEdTP7cQcf/hNGN6h0Z
P7TTXL/TtHnKIBqc3+4B1DWS/+ylfK1JWc0+ZZwmpE2mqYIJSDM=3D
=3Dzlsr
-----END PGP SIGNATURE-----


--===============9024770554610713001==--


From michael.tremer@ipfire.org Sun Jul  1 10:39:38 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: In-/Outbound firewall configuration for Tor relay
Date: Sun, 01 Jul 2018 10:39:37 +0100
Message-ID: <d148edd8897d86ea00150380347acc4b0b3cae7d.camel@ipfire.org>
In-Reply-To: <4d83263e-ca97-701e-be4e-4788bd4e482e@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6390085850416560495=="

--===============6390085850416560495==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Sun, 2018-07-01 at 08:00 +0200, Peter M=C3=BCller wrote:
> Hello Michael,
>=20
> > On Fri, 2018-06-29 at 23:26 +0200, Peter M=C3=BCller wrote:
> > > Hello,
> > > while incoming firewall rules seem to work by now, there are still
> > > some issues with outgoing traffic:
> > > (a) Since tor runs as "nobody" (why?), allowing traffic from this
> > > user is out of questions because also untrusted services like Apache
> > > occupy this user.
> >=20
> > Everything that is non-privileged runs as this. In IPFire 3 everything has
> > its
> > own user.
>=20
> Is there a technical reason why we did not split this up into several
> users in 2.x as well? How much work would it be to change this for 2.x too?

Yes, useradd isn't very well configured and does (or did) not support system
users and all this stuff. You can give it a try.

> >=20
> > > (b) Filtering by PID seems the only way, but creates error messages:
> > > iptables v1.4.21: unknown option "--pid-owner"
> > > Try `iptables -h' or 'iptables --help' for more information.
> >=20
> > Did you try the updated iptables that you submitted this week?
>=20
> Not yet. It might be possible that "--pid-owner" is implemented there,
> as it does not appear in the documentation for 1.4.x .
>=20
> Either way, filtering by PID has some disadvantages:
> (a) Every time a process changes its PID, we need to reload firewall.local.
> (What do we do with forks anyway?) Since PIDs may not be unique on Linux
> systems, some other program could obtain these network privileges.
>=20
> (b) The initscript of Tor needs to be patched in order to reload
> firewall.local .
> During boot sequence, things are loaded the other way round, so the PID
> cannot be determined. A dedicated user would help here a lot.

Agreed.

> At the moment, running a relay on an ARM board in the local DMZ seems to
> be a more elegant way. However, on systems with any outbound connection
> allowed
> (which I _strongly_ advise against), this is not a pity since inbound
> connections
> can be handled even by using the WebUI.
>=20
> Best regards,
> Peter M=C3=BCller
> >=20
> > > In firewall.local, this rule is currently placed:
> > > iptables -A CUSTOMOUTPUT -o ppp0 -m owner --pid-owner $TORPID -p tcp -d
> > > 0.0.0.0/0 -j ACCEPT
> > > Besides from making things more easy in the future (development ;-) ),
> > > is "--pid-owner" even supported by iptables running here? Or does it
> > > require some special module?
> >=20
> > Not that I am aware of.
> >=20
> > -Michael
> >=20
> >=20
> > > Best regards,
> > > Peter M=C3=BCller
> > > Am 28.06.2018 um 19:14 schrieb Peter M=C3=BCller:
> > > > Hello Michael,
> > > >=20
> > > > thanks for the clarification.
> > > >=20
> > > > > Hello,
> > > > >=20
> > > > > On Wed, 2018-06-27 at 22:53 +0200, Peter M=C3=BCller wrote:
> > > > > > Hello,
> > > > > > for quite some time, IPFire includes Tor via Pakfire as an add-on.
> > > > > > Trying to set up a Tor relay there, I stumbled into several probl=
ems
> > > > > > regarding firewall rule configuration:
> > > > > > (a) Inbound
> > > > > > It turns out that Tor is not working correctly if GeoIP block is
> > > > > > active (this occurred after a reboot - strange). Of course, one
> > > > > > possibility is to disable GeoIP block at all, allow access to the
> > > > > > Tor relay ports, and deny any except those of legitimate countries
> > > > > > to other services on the firewall machine.
> > > > >=20
> > > > > You can use the normal firewall rules for a more granular
> > > > > configuration.
> > > > >=20
> > > > > The geoip filter comes first and then all the rest. Depending on how
> > > > > many
> > > > > countries you block here, Tor connectivity becomes a little bit
> > > > > useless.
> > > >=20
> > > > Indeed. And I block many... :-)
> > > > >=20
> > > > > > Since this enlarges the ruleset (already quite complex here :-| ),
> > > > > > I am wondering if there is a more simple way to achieve this.
> > > > >=20
> > > > > We could move tor rules before the GeoIP filter, but I am not sure =
if
> > > > > that
> > > > > is
> > > > > very intuitive.
> > > >=20
> > > > I do not think so since users may expect anything is blocked then and
> > > > wonder why Tor still works fine. We should keep firewall things
> > > > intentional
> > > > in order not to puzzle users.
> > > >=20
> > > > OK, incoming way is solved then.
> > > > >=20
> > > > > > (b) Outbound
> > > > > > For security reasons (surprise!), outgoing connections are heavily
> > > > > > limited here - only DNS, NTP and web traffic is allowed, and only
> > > > > > to a certain list of countries. Some call that "racist routing"...
> > > > > > This does not work with Tor since it needs to open connections to
> > > > > > almost any port on almost any IP address. Allowing outbound traff=
ic
> > > > > > in general is out of question, so there seems to possibility left.
> > > > > > Besides from running a Tor relay in the local DMZ and apply the
> > > > > > firewall rules for this machine, is there another way?
> > > > >=20
> > > > > Not that I am aware of.
> > > > >=20
> > > > > You can build something custom here by using the -m owner module of
> > > > > iptables and
> > > > > make an exception in the OUTPUT chain for the tor process. You just
> > > > > need a
> > > > > little script that puts the pid into it if you cannot check by uid.
> > > >=20
> > > > Hm, I never used the "owner" module before...
> > > >=20
> > > > I guess these custom firewall will need to be placed in "firewall.loc=
al"
> > > > (https://wiki.ipfire.org/configuration/firewall/firewall.local)?
> > > > According
> > > > to the firewall processing scheme
> > > > (https://wiki.ipfire.org/_media/configuration/firewall/ipfire_fw_chai=
ns.
> > > > jpg)
> > > > ,
> > > > it is processed before anything else, so this would suit.
> > > >=20
> > > > Will test this and get back if problems occur.
> > > > >=20
> > > >=20
> > > > Best regards,
> > > > Peter M=C3=BCller
> > > >=20
> >=20
> >=20
> >=20
>=20
>=20
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAls4oVkACgkQgHnw/2+Q
CQf5KxAAg270VjY7AG/yiV8O8auIVePrpaQ74EfbpYIRUHBWH7uPqF7Ag4TB40Ho
CCqdP6mowePfTjmgM6UDU9vry3Pu0hh/L+gKHtw3cNh2TZJGfNDjeCvcG+kMV8oA
j945kk1awse34XDgiJh8wpemvNzpIqKIRJFJvo8VdKhI6d1IeIgA3VWhJjv/31lU
cl8J4WJW9dVy750eM7oHRMxE6RY8TvDnQHP1CYCRBwwH21jN9rHyIU55zJbCkm6N
i4acEyUD6IiYUslHEudp6Sa5UzCrSnuVb/cNn3xUnjmwUyRfTJkXg1ypWgn/IV9N
PTg+G/QkNYrC2CH2LtIKnTguTF026OZzCfAhkpoLdUsdNG/W4R/1iANr6QzuDZz7
4jHi6F6ujEontoRKecXxIq0lbv21bHM8kKGS8lXDUZSafX9ku0ALzRCCJcvMygOJ
k3RN3iyMQg5PEIDJ9sOt8eBoYS22TNTYbgJShesI+WR9srv2pNWjdM8q7gXC4UmU
Giu4//MN2R/f5R0WpSPzTzEved01j+cGcKSDacAdRwACNlRXY3utNE0MCKF4KXo5
NmUmbM+XFIpAP5qGjvpa65tHfOeI9rZAIjdbVsd0RNEuhwVrKENfKN09pt6Pz87Z
sPciMueAK056cAPrJd63HIoUxaxIVPpEyvqk5tiSCUFagB8YtEQ=3D
=3D17qc
-----END PGP SIGNATURE-----


--===============6390085850416560495==--


From peter.mueller@link38.eu Sun Jul  1 12:45:43 2018
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] embed background image in redirect template
Date: Sun, 01 Jul 2018 13:45:32 +0200
Message-ID: <b839dae0-5b5a-271e-8834-03a4c8c5e033@link38.eu>
In-Reply-To: <62c066635c2dabc0643f405e3a1b22520bd4c870.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6902841613735296234=="

--===============6902841613735296234==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Michael,

> Hi,
>=20
> On Sun, 2018-07-01 at 07:49 +0200, Peter M=C3=BCller wrote:
>> Hello Michael,
>=20
>> yes, I built IPfire 2.x yesterday, and the image data were included
>> into /srv/web/ipfire/html/redirect-templates/legacy/template.html .
>=20
>> Is there anything wrong with this patch?
>=20
> Yes, see below...
>=20
>> Best regards,
>> Peter M=C3=BCller
>=20
>>> Hey,
>>>
>>> On Sat, 2018-06-30 at 09:56 +0200, Peter M=C3=BCller wrote:
>>>> Embed the IPFire background image into the redirect template
>>>> directly via CSS instead of loading it from somewhere else.
>>>> This is necessary because of Content Security Policy (CSP) and
>>>> fixes #11650.
>>>> This patch inserts the base64 encoded image during build so
>>>> nothing needs to be updated twice in case background image
>>>> changes.
>>>> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
>>>> ---
>>>>  html/html/redirect-templates/legacy/template.html | 7 ++++++-
>>>>  lfs/web-user-interface                            | 4 ++++
>>>>  2 files changed, 10 insertions(+), 1 deletion(-)
>>>> diff --git a/html/html/redirect-templates/legacy/template.html
>>>> b/html/html/redirect-templates/legacy/template.html
>>>> index b5fb61ebe..297561e3a 100644
>>>> --- a/html/html/redirect-templates/legacy/template.html
>>>> +++ b/html/html/redirect-templates/legacy/template.html
>>>> @@ -3,11 +3,16 @@
>>>>  	<head>
>>>>  		<meta http-equiv=3D"Content-Type" content=3D"text/html;
>>>> charset=3Dutf-8">=20
>>>>  		<title>ACCESS MESSAGE</title>
>>>> +		<style content=3D"text/css">
>>>> +			td.image {
>>>> +				background-image:
>>>> url(data:image/gif;base64,IMAGEDATAPLACEHOLDER);
>>>> +			}
>>>> +		</style>
>>>>  	</head>
>>>>  	<body>
>>>>  		<table width=3D"100%" height=3D'100%' border=3D"0">
>>>>  			<tr>
>>>> -				<td colspan=3D'3' width=3D'100%' height=3D'130'
>>>> align=3D"center" background=3D"<TMPL_VAR
>>>> NAME=3D"ADDRESS">/images/background.gif">
>>>> +				<td colspan=3D'3' width=3D'100%'
>>>> height=3D'152px'
>>>> align=3D"center" class=3D"image">&nbsp;</td>
>>>>  			<tr>
>>>>  				<td width=3D'10%'>
>>>>  				<td align=3D'center' bgcolor=3D'#CC000000'
>>>> width=3D'80%'>
>>>> diff --git a/lfs/web-user-interface b/lfs/web-user-interface
>>>> index 0c5688252..b023cbd86 100644
>>>> --- a/lfs/web-user-interface
>>>> +++ b/lfs/web-user-interface
>>>> @@ -50,6 +50,10 @@ md5:
>>>>  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>>>>  	@$(PREBUILD)
>>>> +	# Add base64 encoded background image to Squid content access
>>>> page
>>>> +	basedata=3D"$( base64 $(DIR_SRC)/html/html/images/background.gif )"
>>>> +	sed -i "s/IMAGEDATAPLACEHOLDER/${basedata}/g"
>>>> $(DIR_SRC)/html/html/redirect-templates/legacy/template.html
>=20
> This isn't a shell script. It is make in which every line invokes a new she=
ll.
> Therefore the variable assignment happens in one shell and then the next li=
ne in
> executed in a new one which knows nothing about the previous variable
> assignment.
This sounds correct. However, in case I ran "./make.sh build", there actually
is some image data in the built file:

~> cat ~/devel/ipfire-2.x/build/srv/web/ipfire/html/redirect-templates/legacy=
/template.html | head -n 8
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
	<head>
		<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8">=20
		<title>ACCESS MESSAGE</title>
		<style content=3D"text/css">
			td.image {
				background-image: url(data:image/gif;base64,iVBORw0KGgoAAAANSUhEUgAAAH0AA=
ACaCAYAAACEwUcfAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAgY0hSTQAAeiYAAICEAA=
D6AAAAgOgAAHUwAADqYAAAOpgAABdwnLpRPAAAABh0RVh0U29mdHdhcmUAUGFpbnQuTkVUIHYzLjA=
39c2BcAAAqsJJREFUeF7svQV4XVeSLVyXhGZmZo6ZYmamOGa2Y8cMScx2zEwxMzMzyMwg27JlMTOz=
dPnWv+pIctSZdL+e93p6euZvJ+s7l3TvOWftgl27qraK/pv/5VWRauxUUg92Jo2xGmnCzWRX1IHsS=
qpJ7ZCH1KkqspodyJyaQNYonYrYqLLlsuXX5KMUVWG1VWcykKM2r9bOwVFdwFlL+TV2qoJaNecjC5=
PVZotOMqn8A4ymkJuRlPZpOVnuhJEt+5I1alJpaxFVaU3UMQ9pq5UnTakyZFfEQa3Tkp1dLgeVTq1=
ROai0Fkc7tcbZTsNOap0qD6lUBXUaVSEtUV6dTuXAxFaVjVPIpgkxmDgoSV8g0BZvl3j4hZ/hqCuZ=
/C8R/zff5n+tn/9WR6oNB0nz9CjZ+a4mpxfnKe/9I1TI8xyVDDhBZcKvUHnfa1Qy8BIV8T1DeT+eV=
ud/dd6+0IeLeYt7XcpTJuSaQ9WYu7pG8Q/sOyY/cRyW9sJhKjA3/ZndlIRH2u4BD7TVX96nfEvukI=
6OkQpXL6Ce5Ui1pAmp964njcsD0p5wIcdrVynfpztUyM1FVcrribpK0DtN7eAPuiZhbvZtor44dov=
1dhwY5+s4McnfcbE+0GmbKdjxiDnM4ZQlzAlHp42mQOdpGX55Okd4Fq/kca9g3qVrya5nC1Jn/ebX=
3/7XYuC/6WymDSXNy4ukCz1KTqGnKZ8rCH53gkqHHKFKUWepWvwVqhx3i8qFulDxiNua4mE3nEsE3=
bAvG3TXsXbUQ6cWSc8deqW8tB+f8dphgf6N/Yr013aLU55pR0c9Un/r8YTKnrtNuceNIF2eeqRRaU=
idqxapa4wgzepfnXXXLpWxdz1eNJ/bpbyFPO85lw946lQv7IVjmxhX516J7o5DE7wcJib7OMxJ83N=
ckubvuC49wGGnIdDhqDnE/jJw2xrucMsc7nDeHOm4HcTPNAbn6pzsUbDym+e6vDu3ka5Crn+T/leH=
1cMjpPPeSbnizlHB0LNU/MtpSPgxqhZ3huoknwNuULVoF1WFuCe6clEujpWjXXLXj3mSq13ia+fBK=
W8dZqa+s19tcLXfaXhvtz3jpW5+0lPtAJDeMOS+qrTHNSp04zTl2rmE7Be1IN24xqRd1chet2pOec=
dNKwrndtlZtOj7MwUrBrjkbRz7JleXRHf7MaleDvPTfew3GvztD5iC7c+YQuyuWELtb5pD7e4BD8z=
hdo+Ah5YI+zvmKLvz1ij7bZZwh6nG4DztI/0LlXv00CnPmLGk1Rb8ql0UDfPvf1l3YDLs+oUJpHu3=
jXL7HaWi8cepbMBpqgr1Xiv2DDVIPk+N0q9T3WQXqpF4W1Mj+pFDk7hnTl2S3zgNT3N1+Cnd1X6j/=
oP9UeNH3TnDe92h9Fe6RWmvNEMSnmjbxzyxrx/0wK66+x11+dvHVUUP/kZ5NixXOS39RWW/azo5Ht=
1Mua4dUed/cUFb2ueuXe2IVw7tkz46jE/3sl9m8Lc7YgrUXbcE2923hOgeW8J0DwEh/ZYlzO6qJUJ=
33hxhd8IcabfLHGG/zBTqNCo9JHeLcPdcpS4eIaeqlQhuw+8m5d+E/34HV
[rest of the base64 block redacted]

So I guess the result of this patch is okay, but the question is why. :-)

Best regards,
Peter M=C3=BCller
>=20
> You will have an empty image in the result file I think.
>=20
> -Michael
>=20
>>>
>>> Did you actually test this?
>>>
>>>> +
>>>>  	# Copy all html/cgi-bin files
>>>>  	mkdir -p /srv/web/ipfire/{cgi-bin,html}
>>>>  	mkdir -p /var/updatecache/{download,metadata}
>>>
>>> -Michael
>>>

--=20
"We don't care.  We don't have to.  We're the Phone Company."


--===============6902841613735296234==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE
SnlyUkxrMlVqeUQzMTduMmdGQWxzNHZ1TUFDZ2tRMlVqeUQzMTcKbjJpdDFRLzhDaW5GbnJSNG9L
QUFCUXdFc2hFcmdTa1pUcEhtUWpnMnhlayt4VEJuS3hBWW8vTnBXdGEvYUl5ZgplOFNXc0tTWm5F
MGFIS2tpYU5pWHh4cE5rTXBuWmV6ZFFCT0ZiWng2aXA0MDBYS2NEZlUvY2taSzJqdFFCSk9XCkR3
YTVhRnJtTjNETDN5SHFsSzczYlBQNmhibi94RFAzUmZkS1NlV0FuWnRNMzJLRFEvMHQvUU5ubDRj
T0VDUTgKL2JQaFJJRkkwNEVKTlZaUGx6TEJIeVFlZW9TcTR1SzlZZWtVSFZMU1M5WUU4RWhQN3BC
a3JDK2FZU0s2VzZjdgorejBqRHkvVEV6SlU3eHRpK0E2UGtCSVpaM1djU1FpVTNtSC9pWWhGRHJ2
U0RTSGJXWUx4NHVwbDl5M2JodHJ2Ckk4Z0dUZnZnMkI4RXo0STQvSU1FanJIR3U0QVpaL0RVKzY1
REZvMTRVUWhlcUo4U0hqb1dMaXZjTldqRWt1Q2UKL3h0bzdkUG1jQXNrdllzcWR3ODk0blhwZk81
bGNCV2xLODhXWEIwOW5oSnVDZWxucFNwajNENGx4N0dVUmU4Lwo2UnNJTmJIUHAxM2V2SHcraEdZ
a3F6eWwybTJEOFpOdVJxK1hhbTVYdWxDUGZ4cThUTXlqK283YXRFekw1SFhNCmhXNkJWelptb1lM
czN0dE9ZMkdsa3NReDVKTlJzcDF4Y1RydDFtcy9wWGc2RE51UkNnUFBVSGhDY0dQOEVTTmMKMzBh
Ulc1ZW9EUUg1bGs2UUVaZloyVU9hNytJZTFYbW5JU2ZvayttWWQ5NzB1NUhPb2VKU0NkNENUNmVX
TzV0bQppbE50cFcxQU44aVF1KzRNbG5Ha0g1VVJHYXM0UVBHa2lXNE1FcnNYSVM5Q0VFdTRwQlU9
Cj1mY3hzCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============6902841613735296234==--


From ummeegge@ipfire.org Mon Jul  2 13:26:10 2018
From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Prevent internal server error cause of bad
 header wrapper
Date: Mon, 02 Jul 2018 14:26:05 +0200
Message-ID: <1530534365.8568.1.camel@ipfire.org>
In-Reply-To: <1529572373-16580-1-git-send-email-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8721465168409595230=="

--===============8721465168409595230==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hi,
just wanted to know if this fix will be applied ?

Best,

Erik


Am Donnerstag, den 21.06.2018, 11:12 +0200 schrieb Erik Kapfer:
> This fixes #11772 .
> 
> If the X509 are deleted, the openvpnctrl output generates a bad
> header wrapper error from the CGI
> which causes an internal server error. The redirection of the
> openvpnctrl output fixes this.
> 
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
>  html/cgi-bin/ovpnmain.cgi | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 4bc3473..5cd19a0 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -1181,7 +1181,7 @@ SETTINGS_ERROR:
>  	    delete $confighash{$cgiparams{'$key'}};
>  	}
>  
> -	system ("/usr/local/bin/openvpnctrl -drrd $name");
> +	system ("/usr/local/bin/openvpnctrl -drrd $name
> &>/dev/null");
>      }
>      while ($file = glob("${General::swroot}/ovpn/ca/*")) {
>  	unlink $file;

--===============8721465168409595230==--


From michael.tremer@ipfire.org Tue Jul  3 10:52:29 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Prevent internal server error cause of bad
 header wrapper
Date: Tue, 03 Jul 2018 10:52:29 +0100
Message-ID: <5151d8fbf09ed5632c1d39bd70af7432ca6c4a3f.camel@ipfire.org>
In-Reply-To: <1530534365.8568.1.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3655697332104284578=="

--===============3655697332104284578==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Yes, I just did.

I collected all the patches and merged all the package updates first and toda=
y I
merged all other smaller changes.

Best,
-Michael

On Mon, 2018-07-02 at 14:26 +0200, ummeegge wrote:
> Hi,
> just wanted to know if this fix will be applied ?
>=20
> Best,
>=20
> Erik
>=20
>=20
> Am Donnerstag, den 21.06.2018, 11:12 +0200 schrieb Erik Kapfer:
> > This fixes #11772 .
> >=20
> > If the X509 are deleted, the openvpnctrl output generates a bad
> > header wrapper error from the CGI
> > which causes an internal server error. The redirection of the
> > openvpnctrl output fixes this.
> >=20
> > Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> > ---
> >  html/cgi-bin/ovpnmain.cgi | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >=20
> > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> > index 4bc3473..5cd19a0 100644
> > --- a/html/cgi-bin/ovpnmain.cgi
> > +++ b/html/cgi-bin/ovpnmain.cgi
> > @@ -1181,7 +1181,7 @@ SETTINGS_ERROR:
> >  	    delete $confighash{$cgiparams{'$key'}};
> >  	}
> > =20
> > -	system ("/usr/local/bin/openvpnctrl -drrd $name");
> > +	system ("/usr/local/bin/openvpnctrl -drrd $name
> > &>/dev/null");
> >      }
> >      while ($file =3D glob("${General::swroot}/ovpn/ca/*")) {
> >  	unlink $file;

--===============3655697332104284578==--


From michael.tremer@ipfire.org Tue Jul  3 10:54:27 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2] embed background image in redirect template
Date: Tue, 03 Jul 2018 10:54:26 +0100
Message-ID: <c84a0bb2b10f16f6b16acb3c5b3e03cc3f420144.camel@ipfire.org>
In-Reply-To: <b839dae0-5b5a-271e-8834-03a4c8c5e033@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7289927021862230201=="

--===============7289927021862230201==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Sun, 2018-07-01 at 13:45 +0200, Peter M=C3=BCller wrote:
> Hello Michael,
>=20
> > Hi,
> >=20
> > On Sun, 2018-07-01 at 07:49 +0200, Peter M=C3=BCller wrote:
> > > Hello Michael,
> > > yes, I built IPfire 2.x yesterday, and the image data were included
> > > into /srv/web/ipfire/html/redirect-templates/legacy/template.html .
> > > Is there anything wrong with this patch?
> >=20
> > Yes, see below...
> >=20
> > > Best regards,
> > > Peter M=C3=BCller
> > > > Hey,
> > > >=20
> > > > On Sat, 2018-06-30 at 09:56 +0200, Peter M=C3=BCller wrote:
> > > > > Embed the IPFire background image into the redirect template
> > > > > directly via CSS instead of loading it from somewhere else.
> > > > > This is necessary because of Content Security Policy (CSP) and
> > > > > fixes #11650.
> > > > > This patch inserts the base64 encoded image during build so
> > > > > nothing needs to be updated twice in case background image
> > > > > changes.
> > > > > Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> > > > > ---
> > > > >  html/html/redirect-templates/legacy/template.html | 7 ++++++-
> > > > >  lfs/web-user-interface                            | 4 ++++
> > > > >  2 files changed, 10 insertions(+), 1 deletion(-)
> > > > > diff --git a/html/html/redirect-templates/legacy/template.html
> > > > > b/html/html/redirect-templates/legacy/template.html
> > > > > index b5fb61ebe..297561e3a 100644
> > > > > --- a/html/html/redirect-templates/legacy/template.html
> > > > > +++ b/html/html/redirect-templates/legacy/template.html
> > > > > @@ -3,11 +3,16 @@
> > > > >  	<head>
> > > > >  		<meta http-equiv=3D"Content-Type" content=3D"text/html;
> > > > > charset=3Dutf-8">=20
> > > > >  		<title>ACCESS MESSAGE</title>
> > > > > +		<style content=3D"text/css">
> > > > > +			td.image {
> > > > > +				background-image:
> > > > > url(data:image/gif;base64,IMAGEDATAPLACEHOLDER);
> > > > > +			}
> > > > > +		</style>
> > > > >  	</head>
> > > > >  	<body>
> > > > >  		<table width=3D"100%" height=3D'100%' border=3D"0">
> > > > >  			<tr>
> > > > > -				<td colspan=3D'3' width=3D'100%'
> > > > > height=3D'130'
> > > > > align=3D"center" background=3D"<TMPL_VAR
> > > > > NAME=3D"ADDRESS">/images/background.gif">
> > > > > +				<td colspan=3D'3' width=3D'100%'
> > > > > height=3D'152px'
> > > > > align=3D"center" class=3D"image">&nbsp;</td>
> > > > >  			<tr>
> > > > >  				<td width=3D'10%'>
> > > > >  				<td align=3D'center'
> > > > > bgcolor=3D'#CC000000'
> > > > > width=3D'80%'>
> > > > > diff --git a/lfs/web-user-interface b/lfs/web-user-interface
> > > > > index 0c5688252..b023cbd86 100644
> > > > > --- a/lfs/web-user-interface
> > > > > +++ b/lfs/web-user-interface
> > > > > @@ -50,6 +50,10 @@ md5:
> > > > >  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> > > > >  	@$(PREBUILD)
> > > > > +	# Add base64 encoded background image to Squid content access
> > > > > page
> > > > > +	basedata=3D"$( base64
> > > > > $(DIR_SRC)/html/html/images/background.gif )"
> > > > > +	sed -i "s/IMAGEDATAPLACEHOLDER/${basedata}/g"
> > > > > $(DIR_SRC)/html/html/redirect-templates/legacy/template.html
> >=20
> > This isn't a shell script. It is make in which every line invokes a new
> > shell.
> > Therefore the variable assignment happens in one shell and then the next
> > line in
> > executed in a new one which knows nothing about the previous variable
> > assignment.
>=20
> This sounds correct. However, in case I ran "./make.sh build", there actual=
ly
> is some image data in the built file:
>=20
> ~> cat ~/devel/ipfire-2.x/build/srv/web/ipfire/html/redirect-
> templates/legacy/template.html | head -n 8
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <html>
> 	<head>
> 		<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-
> 8">=20
> 		<title>ACCESS MESSAGE</title>
> 		<style content=3D"text/css">
> 			td.image {
> 				background-image:
> url(data:image/gif;base64,iVBORw0KGgoAAAANSUhEUgAAAH0AAACaCAYAAACEwUcfAAAAA=
XNS
> R0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAgY0hSTQAAeiYAAICEAAD6AAAAgOgAAHUwAADqYAA=
AOp
> gAABdwnLpRPAAAABh0RVh0U29mdHdhcmUAUGFpbnQuTkVUIHYzLjA39c2BcAAAqsJJREFUeF7sv=
QV4
> XVeSLVyXhGZmZo6ZYmamOGa2Y8cMScx2zEwxMzMzyMwg27JlMTOzdPnWv+pIctSZdL+e93p6euZ=
vJ+
> s7l3TvOWftgl27qraK/pv/5VWRauxUUg92Jo2xGmnCzWRX1IHsSqpJ7ZCH1KkqspodyJyaQNYon=
YrY
> qLLlsuXX5KMUVWG1VWcykKM2r9bOwVFdwFlL+TV2qoJaNecjC5PVZotOMqn8A4ymkJuRlPZpOVn=
uhJ
> Et+5I1alJpaxFVaU3UMQ9pq5UnTakyZFfEQa3Tkp1dLgeVTq1ROai0Fkc7tcbZTsNOap0qD6lUB=
XUa
> VSEtUV6dTuXAxFaVjVPIpgkxmDgoSV8g0BZvl3j4hZ/hqCuZ/C8R/zff5n+tn/9WR6oNB0nz9Cj=
Z+a
> 4mpxfnKe/9I1TI8xyVDDhBZcKvUHnfa1Qy8BIV8T1DeT+eVud/dd6+0IeLeYt7XcpTJuSaQ9WYu=
7pG
> 8Q/sOyY/cRyW9sJhKjA3/ZndlIRH2u4BD7TVX96nfEvukI6OkQpXL6Ce5Ui1pAmp964njcsD0p5=
wIc
> drVynfpztUyM1FVcrribpK0DtN7eAPuiZhbvZtor44dov1dhwY5+s4McnfcbE+0GmbKdjxiDnM4=
ZQl
> zAlHp42mQOdpGX55Okd4Fq/kca9g3qVrya5nC1Jn/ebX3/7XYuC/6WymDSXNy4ukCz1KTqGnKZ8=
rCH
> 53gkqHHKFKUWepWvwVqhx3i8qFulDxiNua4mE3nEsE3bAvG3TXsXbUQ6cWSc8deqW8tB+f8dphg=
f6N
> /Yr013aLU55pR0c9Un/r8YTKnrtNuceNIF2eeqRRaUidqxapa4wgzepfnXXXLpWxdz1eNJ/bpby=
FPO
> 85lw946lQv7IVjmxhX516J7o5DE7wcJib7OMxJ83NckubvuC49wGGnIdDhqDnE/jJw2xrucMsc7=
nDe
> HOm4HcTPNAbn6pzsUbDym+e6vDu3ka5Crn+T/leH1cMjpPPeSbnizlHB0LNU/MtpSPgxqhZ3huo=
knw
> NuULVoF1WFuCe6clEujpWjXXLXj3mSq13ia+fBKW8dZqa+s19tcLXfaXhvtz3jpW5+0lPtAJDeM=
OS+
> qrTHNSp04zTl2rmE7Be1IN24xqRd1chet2pOecdNKwrndtlZtOj7MwUrBrjkbRz7JleXRHf7Mal=
eDv
> PTfew3GvztD5iC7c+YQuyuWELtb5pD7e4BD8zhdo+Ah5YI+zvmKLvz1ij7bZZwh6nG4DztI/0Ll=
Xv0
> 0CnPmLGk1Rb8ql0UDfPvf1l3YDLs+oUJpHu3jXL7HaWi8cepbMBpqgr1Xiv2DDVIPk+N0q9T3WQ=
Xqp
> F4W1Mj+pFDk7hnTl2S3zgNT3N1+Cnd1X6j/oP9UeNH3TnDe92h9Fe6RWmvNEMSnmjbxzyxrx/0w=
K66
> +x11+dvHVUUP/kZ5NixXOS39RWW/azo5Ht1Mua4dUed/cUFb2ueuXe2IVw7tkz46jE/3sl9m8Lc=
7Yg
> rUXbcE2923hOgeW8J0DwEh/ZYlzO6qJUJ33hxhd8IcabfLHGG/zBTqNCo9JHeLcPdcpS4eIaeql=
Qhu
> w+8m5d+E/34HV
> [rest of the base64 block redacted]
>=20
> So I guess the result of this patch is okay, but the question is why. :-)

That must be an old file from a non-clean build.

You are also modifying the source file. And you did not escape the $ in the
Makefile.

- -Michael

>=20
> Best regards,
> Peter M=C3=BCller
> >=20
> > You will have an empty image in the result file I think.
> >=20
> > -Michael
> >=20
> > > >=20
> > > > Did you actually test this?
> > > >=20
> > > > > +
> > > > >  	# Copy all html/cgi-bin files
> > > > >  	mkdir -p /srv/web/ipfire/{cgi-bin,html}
> > > > >  	mkdir -p /var/updatecache/{download,metadata}
> > > >=20
> > > > -Michael
> > > >=20
>=20
>=20
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAls7R9IACgkQgHnw/2+Q
CQcgRBAAsX8YNxXaPCoKr7qoaSoHacSlabGf30KARfS3Wri1kR9twtGx1t9nO7+z
49zTG5EnVW9wqYOM7XBsOb5G2lLaiHJ7lgx9xqnh2NaHc1cRBsYDZ0w3cWdyO4RX
sxLXw7Lf/Z1Qj/RSgHelNaoTRbZ+pajkgVmHPqBr1LPpDAMtrNBGyvZoGn+ybFii
6wV7w1UTIrhXGjKBQWYRWaZdqq341Z61voCabFdaWUjHEjYcfFVcada6mcDec+by
N5MzLwILVlW3gumwEVDGCY29l+VCcznsiuuJ5ihRNLeMJeXFfzH81uLuWvLO9/Nt
T+ag7KPXGrjxyeVJc4L60DU/DKxzAEmj5WeH914OGiTNk8PsL1EiDCZCPCVKDZKG
LF5YxNpFEEZoks3NfCPXA02y2Evx1LhcAR74lBgxKKFyUmZHgk2qcDi6uuTzwAea
3TKTi4Jcaxhme5RTDgwtDnQP3KyQQaT+3H2/sFSuJoU/pcR2nbCykV3NvsZTsrtW
oLzB/TPPdhDcHeiykts+crqA6U9BtPGTKSV5kFZhXc9NGO0ovk/u0VEA0f+zppep
DSL7hTZFMq7CKkvo4rpacKLAArFg8/FOlFzhGMJtz4jNwmyvbvvHdpWd90wmONGy
/cKUwOlz+XwaHqFxlq9dTV/q1Nh1ykuhzVY37KVLuiqEgNWsNjo=3D
=3DNTto
-----END PGP SIGNATURE-----


--===============7289927021862230201==--


From ummeegge@ipfire.org Tue Jul  3 13:18:19 2018
From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Prevent internal server error cause of bad
 header wrapper
Date: Tue, 03 Jul 2018 14:18:15 +0200
Message-ID: <1530620295.8483.5.camel@ipfire.org>
In-Reply-To: <5151d8fbf09ed5632c1d39bd70af7432ca6c4a3f.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3942722852928191970=="

--===============3942722852928191970==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Michael,
thanks for merging. I have seen that you=C2=B4d applied version 1 of this
patch
https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblobdiff;f=3Dhtml/cgi-bin/ovpn=
main.cgi;h=3Dc0c7cff6d87f6e18206129ab196172be61683a38;hp=3D5cd19a0f38f564c54e=
672814e0b5918134889b17;hb=3D15a3aa45cf27c61a581f892b5f3a3905335a12b0;hpb=3D8a=
e4010b312830bce82721325f0aeae524b2810a

but there=C2=B4s a version 2 of it=C2=A0
https://patchwork.ipfire.org/patch/1842/=20
which we should in any case prefer.

This is my fault since i didn=C2=B4t use the same commit name, just used the =
same message-id in the commit.

Sorry for that.

Best,

Erik

P.S. I do have some more OpenVPN patches (extensions no bugs), should i commi=
t some more or should we wait until the next release ?

Am Dienstag, den 03.07.2018, 10:52 +0100 schrieb Michael Tremer:
> Yes, I just did.
>=20
> I collected all the patches and merged all the package updates first
> and today I
> merged all other smaller changes.
>=20
> Best,
> -Michael
>=20
> On Mon, 2018-07-02 at 14:26 +0200, ummeegge wrote:
> >=20
> > Hi,
> > just wanted to know if this fix will be applied ?
> >=20
> > Best,
> >=20
> > Erik
> >=20

--===============3942722852928191970==--


From michael.tremer@ipfire.org Tue Jul  3 15:31:09 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Prevent internal server error cause of bad
 header wrapper
Date: Tue, 03 Jul 2018 15:31:07 +0100
Message-ID: <f87bc97dbbac9e0e1e3ab906d12c7849e20449f1.camel@ipfire.org>
In-Reply-To: <1530620295.8483.5.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6001843466184166689=="

--===============6001843466184166689==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On Tue, 2018-07-03 at 14:18 +0200, ummeegge wrote:
> Hi Michael,
> thanks for merging. I have seen that you=C2=B4d applied version 1 of this
> patch
> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dblobdiff;f=3Dhtml/cgi-bin/ov=
pnmain.cg
> i;h=3Dc0c7cff6d87f6e18206129ab196172be61683a38;hp=3D5cd19a0f38f564c54e67281=
4e0b591
> 8134889b17;hb=3D15a3aa45cf27c61a581f892b5f3a3905335a12b0;hpb=3D8ae4010b3128=
30bce82
> 721325f0aeae524b2810a
>=20
> but there=C2=B4s a version 2 of it=20
> https://patchwork.ipfire.org/patch/1842/=20
> which we should in any case prefer.

Oh sorry. If you can, please mark the v1 as such in Patchwork. I am not sure =
if
we can trigger this automatically via email.

> This is my fault since i didn=C2=B4t use the same commit name, just used th=
e same
> message-id in the commit.
>=20
> Sorry for that.

No problem.

>=20
> Best,
>=20
> Erik
>=20
> P.S. I do have some more OpenVPN patches (extensions no bugs), should i com=
mit
> some more or should we wait until the next release ?

What are those?

Best,
-Michael

>=20
> Am Dienstag, den 03.07.2018, 10:52 +0100 schrieb Michael Tremer:
> > Yes, I just did.
> >=20
> > I collected all the patches and merged all the package updates first
> > and today I
> > merged all other smaller changes.
> >=20
> > Best,
> > -Michael
> >=20
> > On Mon, 2018-07-02 at 14:26 +0200, ummeegge wrote:
> > >=20
> > > Hi,
> > > just wanted to know if this fix will be applied ?
> > >=20
> > > Best,
> > >=20
> > > Erik
> > >=20

--===============6001843466184166689==--


From ummeegge@ipfire.org Tue Jul  3 18:41:00 2018
From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Prevent internal server error cause of bad
 header wrapper
Date: Tue, 03 Jul 2018 19:40:59 +0200
Message-ID: <1530639659.13853.10.camel@ipfire.org>
In-Reply-To: <f87bc97dbbac9e0e1e3ab906d12c7849e20449f1.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3745775678289819572=="

--===============3745775678289819572==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hi Michael,

Am Dienstag, den 03.07.2018, 15:31 +0100 schrieb Michael Tremer:
> Hi,
> 
> On Tue, 2018-07-03 at 14:18 +0200, ummeegge wrote:
> > 
> > Hi Michael,
> > thanks for merging. I have seen that you´d applied version 1 of
> > this
> > patch
> > https://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff;f=html/cgi-bin/
> > ovpnmain.cg
> > i;h=c0c7cff6d87f6e18206129ab196172be61683a38;hp=5cd19a0f38f564c54e6
> > 72814e0b591
> > 8134889b17;hb=15a3aa45cf27c61a581f892b5f3a3905335a12b0;hpb=8ae4010b
> > 312830bce82
> > 721325f0aeae524b2810a
> > 
> > but there´s a version 2 of it 
> > https://patchwork.ipfire.org/patch/1842/ 
> > which we should in any case prefer.
> Oh sorry. If you can, please mark the v1 as such in Patchwork. I am
> not sure if
> we can trigger this automatically via email.
You mean to mark the first patch as v1 ? In that case i need to setup
the old patch again as a new one and send it as answer to the v2 patch.

> > 
> > P.S. I do have some more OpenVPN patches (extensions no bugs),
> > should i commit
> > some more or should we wait until the next release ?
> What are those?
Wanted to finish the 2.4 OpenVPN project in the course which we did
discussed some time ago. So i thought about this order:

1) Automatic cipher negotiation for RWs only (checkbox in advanced
section)
2) tls-crypt for N2N only (checkbox in N2N main menu).
3) LZ4 compression possibility for N2N and RW (menu with possiblity for
none, lzo, lz4v2)
4) Clean up ovpnmain.cgi from mtu-discovery since there are some old
code blocks left.

There is more but to get the old list shorter for the first.

Best,

Erik

--===============3745775678289819572==--


From matthias.fischer@ipfire.org Tue Jul  3 20:52:32 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: 'collectd' and 'cpufreq' on IPFire Duobox - wrong path in initscript?
Date: Tue, 03 Jul 2018 21:52:42 +0200
Message-ID: <e133adc3-3adb-5a0b-5d56-c51c32675cef@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1551503355630583697=="

--===============1551503355630583697==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi!

This was triggered by https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdi=
ff;h=3D37458540bf727df09989c10d640ad13c1a989029

I thought some cpu graphs on my "Duo Box" could be helpful and installed
'cpufrequtils'.

But after adding the above commit to '/etc/init.d/collectd'
and restarting 'collectd' =3D> no graphs appeared.

Reason:
The needed directory '/sys/devices/system/cpu/cpufreq/policy0/' doesn't
exist on my machine, so the 'LoadPlugin' was always commented and
deactivated.

Instead there are '/sys/devices/system/cpu/cpu0' and
'/sys/devices/system/cpu/cpu1'.

So I tested this the hard way.

After commenting the if-statement, everything is working, CPU graphs
appear and show reasonable values:

...
# Enable cpufreq plugin if cpufreq found
#if [ ! -e  /sys/devices/system/cpu/cpufreq/policy0/*_cur_freq ]; then
#	sed -i -e "s|^LoadPlugin cpufreq|#LoadPlugin cpufreq|g" /etc/collectd.conf
#else
	sed -i -e "s|^#LoadPlugin cpufreq|LoadPlugin cpufreq|g" /etc/collectd.conf
#fi
...

Changed this to:

...
if [ ! -e /sys/devices/system/cpu/cpu0/cpufreq/*_cur_freq ]; then
..

But this gave me an error:

/etc/init.d/collectd: line 95: [: /sys/devices/system/cpu/cpu0/cpufreq/cpuinf=
o_cur_freq: binary operator expected

I changed the line to:

...
if [ ! -e /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_cur_freq ]; then
...

And now it is running as expected.

Would this be ok for other machines?
Bug or feature - can anyone confirm?

Best,
Matthias

P.S.: I didn't forget the Telko - I was still at work. Too bad...

--===============1551503355630583697==--


From Arne.Fitzenreiter@ipfire.org Wed Jul  4 00:09:30 2018
From: Arne Fitzenreiter <Arne.Fitzenreiter@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: 'collectd' and 'cpufreq' on IPFire Duobox - wrong path in initscript?
Date: Wed, 04 Jul 2018 01:09:29 +0200
Message-ID: <e5561d5c3211d4d0e87b787f3c42669d@ipfire.org>
In-Reply-To: <e133adc3-3adb-5a0b-5d56-c51c32675cef@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2750134614620270476=="

--===============2750134614620270476==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On some maschines the file i

I think this need more investigation.



> This was triggered by
> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D37458540bf727=
df09989c10d640ad13c1a989029
>=20
> I thought some cpu graphs on my "Duo Box" could be helpful and=20
> installed
> 'cpufrequtils'.
>=20
> But after adding the above commit to '/etc/init.d/collectd'
> and restarting 'collectd' =3D> no graphs appeared.
>=20
> Reason:
> The needed directory '/sys/devices/system/cpu/cpufreq/policy0/' doesn't
> exist on my machine, so the 'LoadPlugin' was always commented and
> deactivated.
>=20
> Instead there are '/sys/devices/system/cpu/cpu0' and
> '/sys/devices/system/cpu/cpu1'.
>=20
> So I tested this the hard way.
>=20
> After commenting the if-statement, everything is working, CPU graphs
> appear and show reasonable values:
>=20
> ...
> # Enable cpufreq plugin if cpufreq found
> #if [ ! -e  /sys/devices/system/cpu/cpufreq/policy0/*_cur_freq ]; then
> #	sed -i -e "s|^LoadPlugin cpufreq|#LoadPlugin cpufreq|g"=20
> /etc/collectd.conf
> #else
> 	sed -i -e "s|^#LoadPlugin cpufreq|LoadPlugin cpufreq|g"=20
> /etc/collectd.conf
> #fi
> ...
>=20
> Changed this to:
>=20
> ...
> if [ ! -e /sys/devices/system/cpu/cpu0/cpufreq/*_cur_freq ]; then
> ..
>=20
> But this gave me an error:
>=20
> /etc/init.d/collectd: line 95: [:
> /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_cur_freq: binary operator
> expected
>=20
> I changed the line to:
>=20
> ...
> if [ ! -e /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_cur_freq ]; then
> ...
>=20
> And now it is running as expected.
>=20
> Would this be ok for other machines?
> Bug or feature - can anyone confirm?
>=20
> Best,
> Matthias
>=20
> P.S.: I didn't forget the Telko - I was still at work. Too bad...

--===============2750134614620270476==--


From michael.tremer@ipfire.org Wed Jul  4 10:12:52 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [Fwd: [squid-announce] Squid 4.1 is available]
Date: Wed, 04 Jul 2018 10:12:51 +0100
Message-ID: <51c9b839bbe41426c9f84bda2d9e9343d9ec4d28.camel@ipfire.org>
In-Reply-To: <c8f9202f-47b1-c34e-5480-8191d57f8a2b@treenet.co.nz>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5374038360581794484=="

--===============5374038360581794484==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Squid 4.1 has been released.

@Matthias: As far as I remember, you have been working on updating squid befo=
re.
Will you have a look at this?

Best,
-Michael



--===============5374038360581794484==
Content-Type: message/rfc822
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.eml"
MIME-Version: 1.0

UmV0dXJuLVBhdGg6IDxtLnMudHJlbWVyK2NhZl89bWljaGFlbD10cmVtZXIuaW5mb0BnbWFpbC5j
b20+ClgtT3JpZ2luYWwtVG86IG1pY2hhZWxAdHJlbWVyLmluZm8KRGVsaXZlcmVkLVRvOiBtc0Bt
YWlsMDEuaXBmaXJlLm9yZwpSZWNlaXZlZDogZnJvbSBtYWlsLXVhMC1mMTc1Lmdvb2dsZS5jb20g
KG1haWwtdWEwLWYxNzUuZ29vZ2xlLmNvbQogWzIwOS44NS4yMTcuMTc1XSkgKHVzaW5nIFRMU3Yx
LjIgd2l0aCBjaXBoZXIgRUNESEUtUlNBLUFFUzI1Ni1HQ00tU0hBMzg0CiAoMjU2LzI1NiBiaXRz
KSkgKENsaWVudCBDTiAic210cC5nbWFpbC5jb20iLCBJc3N1ZXIgIkdvb2dsZSBJbnRlcm5ldAog
QXV0aG9yaXR5IEcyIiAodmVyaWZpZWQgT0spKSBieSBtYWlsMDEuaXBmaXJlLm9yZyAoUG9zdGZp
eCkgd2l0aCBFU01UUFMgaWQKIDIzMzA0MTA3QjFFRSBmb3IgPG1pY2hhZWxAdHJlbWVyLmluZm8+
OyBXZWQsICA0IEp1bCAyMDE4IDA2OjA1OjM4ICswMTAwCiAoQlNUKQpSZWNlaXZlZDogYnkgbWFp
bC11YTAtZjE3NS5nb29nbGUuY29tIHdpdGggU01UUCBpZCBnMTgtdjZzbzI2ODE5NjJ1YWsuMAog
ICAgICAgIGZvciA8bWljaGFlbEB0cmVtZXIuaW5mbz47IFR1ZSwgMDMgSnVsIDIwMTggMjI6MDU6
MzggLTA3MDAgKFBEVCkKWC1Hb29nbGUtREtJTS1TaWduYXR1cmU6IHY9MTsgYT1yc2Etc2hhMjU2
OyBjPXJlbGF4ZWQvcmVsYXhlZDsgZD0xZTEwMC5uZXQ7CiBzPTIwMTYxMDI1OwogaD14LW9yaWdp
bmFsLWF1dGhlbnRpY2F0aW9uLXJlc3VsdHM6eC1nbS1tZXNzYWdlLXN0YXRlOmRlbGl2ZXJlZC10
bwogOmRlbGl2ZXJlZC10bzpmcm9tOm9wZW5wZ3A6YXV0b2NyeXB0OnRvOm1lc3NhZ2UtaWQ6ZGF0
ZTp1c2VyLWFnZW50CiA6bWltZS12ZXJzaW9uOmNvbnRlbnQtbGFuZ3VhZ2U6c3ViamVjdDpwcmVj
ZWRlbmNlOmxpc3QtaWQKIDpsaXN0LXVuc3Vic2NyaWJlOmxpc3QtYXJjaGl2ZTpsaXN0LXBvc3Q6
bGlzdC1oZWxwOmxpc3Qtc3Vic2NyaWJlCiA6Y29udGVudC10cmFuc2Zlci1lbmNvZGluZzplcnJv
cnMtdG86c2VuZGVyOwogYmg9am5YYzQwUXkwYlRHMjlLYUUyQ1MzaEtsNlZ0SHhVcjBXekJNeFpW
OENLST07CiBiPUZmWTM3ZDdSekV6MlBKeGl3RGhKdEJpQlNHa216Ums5SEFQTjFVWWpNZGRjV0px
U2R6VUF6TlgydHpZdU1pbmFLaAogbm1uL25NZWovVm0xWk0wNXdSd0UyU1lIeGFSeCtTczIzTGRN
eUpmM0VGbXEwY1ZGR05aMTNxeE5OMHlkUlRGNGU2MzMKIHFzY1RabXBnMFYzbmFOUXQrK1NqV1Q1
Z2YrY2w1Mkp0NWszYzRPUzhMd2piNlRnMmIycnE2U0NoSHduOEpQeGI1V0hRCiBDc0tJYm5WTUZp
NkVoVXY2akU4dittd1lKSmtFd3pWdURzNldLM2djdXMwaGNhZkFIU043NGZ4TzNmYWxYRDhxdDY0
eQogTWk0Y0x6KzBCTXYwUmdrNFdwanZlSUQrbUF2QWs2YUpCaXY1OW9oYjFUd3JYSmI2eUZrL29S
cDRXV1pKTHBQcXZDb1EgYTF1Zz09ClgtT3JpZ2luYWwtQXV0aGVudGljYXRpb24tUmVzdWx0czog
bXguZ29vZ2xlLmNvbTsgICAgICAgc3BmPXBhc3MKIChnb29nbGUuY29tOiBkb21haW4gb2Ygc3F1
aWQtYW5ub3VuY2UtYm91bmNlc0BsaXN0cy5zcXVpZC1jYWNoZS5vcmcKIGRlc2lnbmF0ZXMgMTA0
LjEzMC4yMDEuMTIwIGFzIHBlcm1pdHRlZCBzZW5kZXIpCiBzbXRwLm1haWxmcm9tPXNxdWlkLWFu
bm91bmNlLWJvdW5jZXNAbGlzdHMuc3F1aWQtY2FjaGUub3JnClgtR20tTWVzc2FnZS1TdGF0ZTog
QVB0NjlFMk5WVHhXUFlDcjlqNnROdUExNnRRczI4MWNhc1ZlSmUzUG0xOTlRZlN1NUVOeXczWnMK
IHVWRUllcUh4aUw5aTdjbXJLLzlxM2oxeVVEZHBaamdMbHE5M0dLWitDcHhwYUJjc3dLOD0KWC1S
ZWNlaXZlZDogYnkgMjAwMjphYjA6MWMxYTo6IHdpdGggU01UUCBpZAogYTI2LXY2bXIyNzY3MDZ1
YWouMTQyLjE1MzA2ODA3MzY3NjM7IFR1ZSwgMDMgSnVsIDIwMTggMjI6MDU6MzYgLTA3MDAgKFBE
VCkKWC1Gb3J3YXJkZWQtVG86IG1pY2hhZWxAdHJlbWVyLmluZm8KWC1Gb3J3YXJkZWQtRm9yOiBt
LnMudHJlbWVyQGdtYWlsLmNvbSBtaWNoYWVsQHRyZW1lci5pbmZvCkRlbGl2ZXJlZC1UbzogbS5z
LnRyZW1lckBnbWFpbC5jb20KUmVjZWl2ZWQ6IGJ5IDIwMDI6YWIwOjQ4NDY6MDowOjA6MDowIHdp
dGggU01UUCBpZCBjNi12NmNzcDMyNTgzNHVhZDsKICAgICAgICBUdWUsIDMgSnVsIDIwMTggMjI6
MDU6MzUgLTA3MDAgKFBEVCkKWC1Hb29nbGUtU210cC1Tb3VyY2U6IAogQUFPTWdwZWdXVWZUc3l6
akdUZzVlZHh1VW9INklpbmt1bXhEaFBoWGxydEpyNnZyOGpibXBRTGZyS3g4S042a2pZWWQ0NGlo
QUQyWApYLVJlY2VpdmVkOiBieSAyMDAyOmEwMjo4NTA5Ojogd2l0aCBTTVRQIGlkCiBnOS12Nm1y
NDA0MTA1amFpLjU0LjE1MzA2ODA3MzU3NDE7IFR1ZSwgMDMgSnVsIDIwMTggMjI6MDU6MzUgLTA3
MDAgKFBEVCkKQVJDLVNlYWw6IGk9MTsgYT1yc2Etc2hhMjU2OyB0PTE1MzA2ODA3MzU7IGN2PW5v
bmU7IGQ9Z29vZ2xlLmNvbTsKIHM9YXJjLTIwMTYwODE2OwogYj1aeWlPMzMvdWl6Z1g2UWJrUXpF
VlU1TlYySHdvcld6YUl3VmdtRlloNG5jVmtMS2k3SWtIQldnMTZEL2hpWFhuWlgKIEY0OTA3S0pS
emdoNjM0S0pMQVpJR3ZnMFlIS0ZNbVNLd1c3L3BFQ21FWFl1VnpKcjhKNElYTE9FOGw0WmlvOHFG
WkJ0CiBFeElVeDVEMjJ4bWpNc0ZLeFpwNFdRRW9ES0t1WDdJMGxCeEZwdkIxMDh2WWs2QXhSWk9w
UzY0bzdpMzY4Qy80aUxEMAogWlJyMkVkZCthR3M4cHBMOGtDdkFHUERsemVjeFBoUm05NzkvWmxr
Ky9TVnVKcW5ESDlQeHM4ekVQTVp5T21UdWpwKzMKIHN1ZUJhU09JRnFBUGFnS25EbG1HZlRvd3RC
QzRLNTNjUWZVcmJmY2JvZXlCSTlsaEV3Q3hHOHcvVC9zVC9vVWY4aG16IHprQUE9PQpBUkMtTWVz
c2FnZS1TaWduYXR1cmU6IGk9MTsgYT1yc2Etc2hhMjU2OyBjPXJlbGF4ZWQvcmVsYXhlZDsgZD1n
b29nbGUuY29tOwogcz1hcmMtMjAxNjA4MTY7CiBoPXNlbmRlcjplcnJvcnMtdG86Y29udGVudC10
cmFuc2Zlci1lbmNvZGluZzpsaXN0LXN1YnNjcmliZTpsaXN0LWhlbHAKIDpsaXN0LXBvc3Q6bGlz
dC1hcmNoaXZlOmxpc3QtdW5zdWJzY3JpYmU6bGlzdC1pZDpwcmVjZWRlbmNlOnN1YmplY3QKIDpj
b250ZW50LWxhbmd1YWdlOm1pbWUtdmVyc2lvbjp1c2VyLWFnZW50OmRhdGU6bWVzc2FnZS1pZDp0
bwogOmF1dG9jcnlwdDpvcGVucGdwOmZyb206ZGVsaXZlcmVkLXRvOmFyYy1hdXRoZW50aWNhdGlv
bi1yZXN1bHRzOwogYmg9am5YYzQwUXkwYlRHMjlLYUUyQ1MzaEtsNlZ0SHhVcjBXekJNeFpWOENL
ST07CiBiPW5JeVFFSmcxTHdMbzQ2MFFHMS9CcHgwem9tb0crMUF4V2RORWZTT041SFllMGd6Y05C
b3VoUmMvenJkc0VBdHpsWgogSUNWR0ZwelVma3ZlR1l5L091SWhDMmVUYW9vdGRJNHJIeFlOK1Aw
ZGxjSXRRUXlJSU4zTTFNNkJkdCtkOWRBdm5vdlYKIGhGOXJFQnVyVldCajhuUGFQS2xJcFIwS3ZT
QXAwSmIvRFpXSWNUZlAyZi9pVEhhamVHQ0NxZmNtY05WRkc2QjVxazlVCiBTcWZ5WmM4WUJ0RTZh
cFU0MVVGSUhLOHdkYlZJY1lhMCtLYmpCZGpPY3RVVHdMWkUxd296V2dmd3BSUmdlZ21QYkhBUgog
REY0cm5URW1nQ3NTZUtzVWVIWFV3YlRIRFVoUDR5djhETzZKY3ZYQnhhN0d3N0JURFlkRmhOeFp6
Sm1DeFZaSW1vNmQgSXhLUT09CkFSQy1BdXRoZW50aWNhdGlvbi1SZXN1bHRzOiBpPTE7IG14Lmdv
b2dsZS5jb207IHNwZj1wYXNzIChnb29nbGUuY29tOgogZG9tYWluIG9mIHNxdWlkLWFubm91bmNl
LWJvdW5jZXNAbGlzdHMuc3F1aWQtY2FjaGUub3JnIGRlc2lnbmF0ZXMKIDEwNC4xMzAuMjAxLjEy
MCBhcyBwZXJtaXR0ZWQgc2VuZGVyKQogc210cC5tYWlsZnJvbT1zcXVpZC1hbm5vdW5jZS1ib3Vu
Y2VzQGxpc3RzLnNxdWlkLWNhY2hlLm9yZwpSZWNlaXZlZDogZnJvbSBsaXN0cy5zcXVpZC1jYWNo
ZS5vcmcgKGxpc3RzLnNxdWlkLWNhY2hlLm9yZy4KIFsxMDQuMTMwLjIwMS4xMjBdKSBieSBteC5n
b29nbGUuY29tIHdpdGggRVNNVFAgaWQKIGI2My12NnNpMTkyODU4NGl0ZS41MS4yMDE4LjA3LjAz
LjIyLjA1LjM1OyBUdWUsIDAzIEp1bCAyMDE4IDIyOjA1OjM1IC0wNzAwCiAoUERUKQpSZWNlaXZl
ZC1TUEY6IHBhc3MgKGdvb2dsZS5jb206IGRvbWFpbiBvZgogc3F1aWQtYW5ub3VuY2UtYm91bmNl
c0BsaXN0cy5zcXVpZC1jYWNoZS5vcmcgZGVzaWduYXRlcyAxMDQuMTMwLjIwMS4xMjAgYXMKIHBl
cm1pdHRlZCBzZW5kZXIpIGNsaWVudC1pcD0xMDQuMTMwLjIwMS4xMjA7ClJlY2VpdmVkOiBmcm9t
IG1hc3Rlci5zcXVpZC1jYWNoZS5vcmcgKGlwNi1sb2NhbGhvc3QgWzEyNy4wLjAuMV0pCglieSBs
aXN0cy5zcXVpZC1jYWNoZS5vcmcgKFBvc3RmaXgpIHdpdGggRVNNVFAgaWQgMEQ1RkJFNTg0NjsK
CVdlZCwgIDQgSnVsIDIwMTggMDU6MDU6MTAgKzAwMDAgKFVUQykKWC1PcmlnaW5hbC1Ubzogc3F1
aWQtYW5ub3VuY2VAbGlzdHMuc3F1aWQtY2FjaGUub3JnCkRlbGl2ZXJlZC1Ubzogc3F1aWQtYW5u
b3VuY2VAc3F1aWQtY2FjaGUub3JnClJlY2VpdmVkOiBmcm9tIHRyZWVuZXQuY28ubnogKHVua25v
d24gWzEyMS45OS4yMjguODJdKQogYnkgbGlzdHMuc3F1aWQtY2FjaGUub3JnIChQb3N0Zml4KSB3
aXRoIEVTTVRQIGlkIEUxNEMzRTAyRDkKIGZvciA8c3F1aWQtYW5ub3VuY2VAbGlzdHMuc3F1aWQt
Y2FjaGUub3JnPjsKIFdlZCwgIDQgSnVsIDIwMTggMDU6MDI6NTggKzAwMDAgKFVUQykKUmVjZWl2
ZWQ6IGZyb20gWzE5Mi4xNjguMTM3LjkyXSAodW5rbm93biBbMTIxLjk4LjQyLjIyNV0pCiBieSB0
cmVlbmV0LmNvLm56IChQb3N0Zml4KSB3aXRoIEVTTVRQQSBpZCA3NUEzMzY2MDExMgogZm9yIDxz
cXVpZC1hbm5vdW5jZUBsaXN0cy5zcXVpZC1jYWNoZS5vcmc+OwogV2VkLCAgNCBKdWwgMjAxOCAx
NzowMjo1OCArMTIwMCAoTlpTVCkKRnJvbTogQW1vcyBKZWZmcmllcyA8c3F1aWQzQHRyZWVuZXQu
Y28ubno+Ck9wZW5wZ3A6IHByZWZlcmVuY2U9c2lnbmVuY3J5cHQKQXV0b2NyeXB0OiBhZGRyPXNx
dWlkM0B0cmVlbmV0LmNvLm56OyBwcmVmZXItZW5jcnlwdD1tdXR1YWw7IGtleWRhdGE9CiB4c0ZO
QkZpT0V6b0JFQUR1dWF3SGlNT3FIQmpMNU1rNklmUENnSm1ZM29xSkRteWt6dmUrdkRoN2pBcnRG
bk9HMDY3ZnRhTUwKIGxpZ0doM3k2TE9MaDNyMWtJWjI1NENQSHVLRllzc0ExcDltWEw5WUpuWjFx
SHJRVmhxWndEcTdkSC9VdEJRMklNMVF1a29UbwogMVZSVEIzcHBpUEhLVFNhMnpaL2tnQnMwZCsx
TU9pOERZMlNtSURZVmhVSkk1NXFTcXB4bGNzNk15RzRLeGxFUEQzNUozbkw0CiBoSXpMenV6SWJa
b1VPNk0rZEx2bnFpRnUyK21tNm83NW54WW1xK0pDUHdONWJpRVRrU3ZuZHFyNTZ0L1cwYWpsVTFN
cEZYZk8KIFlKOFBmdXRySUJVUHNSSlVxV1FqR2c2dVhwNHRvckMxcTJYYXNmU0tWSVErOGR1dzdN
Q3JrQWZSdjVCdER0cGVzQUFzU2N2WQogVHdVYURZVmlvaU5OSzF1SlFabHJwWVk0STBFYkhJNEdI
S3E3UTRWbW90Y1EyQmhpZ3FSSWRoN2tEM2NvcmRkaGxMVHZUczBHCiA1UGprL1QyWm9NRlpJMDNn
K2lldW8xbDhWaENHZGxxU1FkOGQxTnA5V1d3Uzk4OTlRU2d1Y3dFZUcrT0syZjFJeHhEMTJIaUMK
IGdOb1NoOWlkOXZUWUxUWksrSE0xRkV1K2l3VHhmUTlGL2tETjQ5SWFQaGZ2akpUczg2T3Y0RkJU
dGFOVU4ycEYwcVhwUXIzQQogUmlzeFp0N3Q3TVZscys1NzBzTm5haWpZWWtMWmRaais0OVFBckp4
YWxsbHRYM3NiYzlBSzVKeGtUOFhpdlJDZUxUS09uZ1pFCiB6SVpDQmVadXlJOGNDZW1oVTBjc2w4
OVpjT1JiTXNnRlMyOEZ5V0g0K1g2bEErUjVIUUFSQVFBQnpTSkJiVzl6SUVwbFptWnkKIGFXVnpJ
RHhoYlc5elFIUnlaV1Z1WlhRdVkyOHVibm8rd3NHT0JCTUJDQUE0RmlFRUFpbXp3a3pPd2xRU2ZK
VXlBTmhqWjVRZwogdmRNRkFsaU9Fem9DR3dNRkN3a0lCd0lHRlFnSkNnc0NCQllDQXdFQ0hnRUNG
NEFBQ2drUUFOaGpaNVFndmRPS2toQUFzZWFnCiA3UVR6UkYyMFREd2M2UVFwZllkVXl1dU1xeUVW
M0F3QVR0SnhGMlkrYUYvaEVIWFU5WEJDTThFTXlpSlI4MTZoYUMrODZXY2kKIDBjWFlqN3BtUjgw
cHNSOUM2Sm9hTm9zODlDcmdzbU14OXRaUjV5SlhyZFRDblFhamJaZjNvenM3SURrNDFnNE52V2c1
R3RITQogM01ZcmlMMExVQlhMVCtZU1o5UXEyRG1SWlJhdENqazZ0aU1ZZUhHL0d0SDZHWnMzWUV4
Uk85QW0xNkMxZ1RKUmFvOW1KdENCCiBEUiswTnJSQjJFN3RLTjhFWnlTQXNaa0R6YkwraEwvTHBk
V2tFWnZsQnNTeEplYkFOMHg2NHczRlN6dEhHZlp3TGZMc3hkdmEKIDZDZllzOGthbEhvVHhSb1Jo
cElLbVR0R0ZKSTR2OWNSMCtVYTV0ck1QZ0hHMlFJT2dYT0t0T1RnZFlGNWtzQTk4WkYrT2RzdQog
Vzd5Q2U5UE9xYzRibkRiT1hCeXhWdU5NUHdWU0VTay9HSndueFJCMnZXNG55d1FLUkVKMkg2SGVE
TytLVmhMRTluSDVBbHNwCiBYcEVnUHB6WVZlcGxoY0tLaTZINTZiSTBhbklIdmFvN3ZFRVhOUDJw
d1JXU29NS0V3R1dHRzdRdm1lbVEwWWJzVXFKU0s1NjMKIFN3TmU1Y1ZVZy9DcWIwOG03RDl5YkFt
K2h3Z3R2elU3T0dzTHlJSHV5VnhuR2tCNUExR1YxbGl6VW1zRmF1Qnh5dzhZeDZHbQogd2Ztc2l3
RVZZVi9saWRnK3VibnN4cU43S3V2ZzlnWVJ2ditZZzF3bDFRRlJnZU9GamJVOGhqL0FhTkFQOVNw
cEhjQTVqb0JlCiBrYWtReDE4WTZMSUtLdmRvZXBEZzNtRlhyT291bzhqT3dVMEVXSTRUT2dFUUFN
bUVJU1FtSERkZTBxMllmeWVBOE1LZWpIbHQKIDV2Q2xkS1l3dGFONWlpMDc3dkphTnJRazlROEl5
bTZybzBwbEFkdExEVHp5UUNBVFdVY3RGNkIwVm93QjQvTHFGNDBVNGcrdQogTkFqN2Z6Qy9tVnZT
SUc0MmRpTjBwSllrY2ZkOWdoVmNGN0g1Q2VZZTJ6TDNUbHFpbHFRQTZYbXQ2aTdObVlVTU85Mzlq
dzdWCiBac3pNSGxxdkRUVXpjaW1LclRWQjdvUzMrcjV2MUdHVDNxK3V0cnhrYTNXb1EzSUhuaWRz
eWxiVGZGK2RsUnN2dEtXeHRnOGsKIG1UZ3Uvb2oxQ21VRTBEUWg2N2tYc2lDM25oamRVaCtlWmZE
R21MdU9HZ1ZBV1UvV05DUzNvYVZ4VlhXM3JYL25VYytVUmtpTwogQ3V4eVBqQnkrQThaK0k4T1hw
SWFDNkZRWTlzQ0ZWbzd5SzRVeHNLK2VNOTNtV0dJYzVjR0JMOTl2cis3WWdaM1RCallyYXpMCiBP
NVo4d3l3NzY1RzFVM2RQWkIrZWdSTUVZNUNPNjRlYjc4Zjd2YlJsOC9JTlpXZGtKeGNvdFI0d2VH
bnZPeHhESHluY1MzQlQKIFN1NmlpcW1YU3owWkRwYU9kQ01OREhFNkttdDFxdzJOYnVHVUhvaHFn
Mks4KzFtV25Yd2V2UzBhZnlkb0c3RVgwQXVFMVlFZgoga09Ec2VrOGNlRmo0VTJjMWpsT1FidU8w
MXBIYTZaOVZZbjVOT3dYRVRsSXl0akR5QnQxNVI3VHQxQlFRZzd3VTQ4MmE1U1NsCiB3WFl5ek94
NDJhMkNMdlpNMnRYbmJJWTRWWkR1K1YxeXdYTk1HT3M4QW0xTEp6aTc0ZUV2Mk5UYnZkRk1tc0dB
a1dOV242S1MKIDc3ZVIrcGU1QUJFQkFBSEN3WFlFR0FFSUFDQVdJUVFDS2JQQ1RNN0NWQko4bFRJ
QTJHTm5sQ0M5MHdVQ1dJNFRPZ0liREFBSwogQ1JBQTJHTm5sQ0M5MHplU0QvOXFFcEpBdHVFQVh5
Q0N5bVVFcHpONlhnU1dkY1lyYStOb2xJR0NSeldkM1NueHRCaSt6V3doCiBMRnhtOEFFaGZxU01S
aDk1VDRYV0tIU2NJc1padUc5eGlhcDV3aEo1eExKQy9ObFppZFFxaVBTSkxvZzIrWXF0K1BCVlBy
TXAKIGFHN0NtcTY0WTR0dHZGd0xaOFduMjNpckp6cjlKaVd2c2pwckltc0NaYnVHL0kxSldIVUlu
NzBva256c1RncFRQV0RDZm5DaQogR2hDSzd2Z1hhazlRZ0JLaHJ6Z0FESzNvNnVDam1ObGxVZGNp
OWdGelVTeTQveDl4NzN4cmJ6WFM4L3BPMjNmbmJCd1BhN1ZWCiA5SVJ0T2I4SEpKazhZNzlBMVpu
a1ZBTkJvMUttRStZY3c5MklNY3oyZXY0VkZ3K3BicVovc3dIcWEzeTNMNWNUN0tlcWdjNjcKIHdp
YWhTWlJjNXpNMGpKV3hOLy9scGdjZG5EUkkxT1NMQ3JNTUk2OXljMlFNelVadTg3QnRFSnptMERC
eTJwSUtFbmk5ZFNDdwogd01JVFVzVTIxTnkzUm1hVjdmbVhZQXlwOXBjYVFRV0dPYjJDSXZVN2s2
MGVMV2dmTlRvNVNHSTU2V1lDK25kb2Q3dlBVK3N3CiBKVmJLclFLcWZ3TzVKYmRZOVlQYm8rK1o2
a2ZybmJrbW0zd2tKNFc4ZE9jcmtMWWJtT2s3c0NvbGNRaFZibUd5NzRHZ3psNzUKIFIyMlE3K1Vo
amo5aXEwS3YzQ0dRM3JLVmRYT2ZBbzVPZWtkYU1EeDl0OUhvaXJHaW9rY3lDUFR5N3dBeXZRNzVs
YnJ5Z3hDbQogZTA1WEJmTFpIck1wK1NkTThPTnNkZ0llN1UwYkk4NXpZZWdjZVNhZ3pDdEJkQjhI
UTEwVEZnPT0KVG86IHNxdWlkLWFubm91bmNlQGxpc3RzLnNxdWlkLWNhY2hlLm9yZwpNZXNzYWdl
LUlEOiA8YzhmOTIwMmYtNDdiMS1jMzRlLTU0ODAtODE5MWQ1N2Y4YTJiQHRyZWVuZXQuY28ubno+
CkRhdGU6IFdlZCwgNCBKdWwgMjAxOCAxNzowMjo1MCArMTIwMApVc2VyLUFnZW50OiBNb3ppbGxh
LzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjUyLjApIEdlY2tvLzIwMTAwMTAxCiBUaHVuZGVy
YmlyZC81Mi44LjAKTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC1MYW5ndWFnZTogZW4tVVMKWC1T
cGFtLUNoZWNrZXItVmVyc2lvbjogU3BhbUFzc2Fzc2luIDMuNC4wICgyMDE0LTAyLTA3KSBvbgog
bWFzdGVyLnNxdWlkLWNhY2hlLm9yZwpYLU1haWxtYW4tQXBwcm92ZWQtQXQ6IFdlZCwgMDQgSnVs
IDIwMTggMDU6MDU6MDggKzAwMDAKU3ViamVjdDogW3NxdWlkLWFubm91bmNlXSBTcXVpZCA0LjEg
aXMgYXZhaWxhYmxlClgtQmVlblRoZXJlOiBzcXVpZC1hbm5vdW5jZUBsaXN0cy5zcXVpZC1jYWNo
ZS5vcmcKWC1NYWlsbWFuLVZlcnNpb246IDIuMS4xNgpQcmVjZWRlbmNlOiBsaXN0Ckxpc3QtSWQ6
ICJUaGlzIGxpc3QgaXMgdXNlZCBmb3IgYW5ub3VuY2luZyBuZXcgU3F1aWQgcmVsZWFzZXMuIFRo
aXMgaXMgYQogbW9kZXJhdGVkIG1haWxpbmcgbGlzdCAtLSBzdWJzY3JpYmVycyBhcmUgbm90IGFs
bG93ZWQgdG8gcG9zdCBtZXNzYWdlcy4gVGhlCiBhbW91bnQgb2YgdHJhZmZpYyBpcyByZWxhdGl2
ZWx5IHNtYWxsOwogcGVyaGFwcyBvbmUgbWVzc2FnZSBwZXIgbW9udGguIiA8c3F1aWQtYW5ub3Vu
Y2UubGlzdHMuc3F1aWQtY2FjaGUub3JnPgpMaXN0LVVuc3Vic2NyaWJlOiA8aHR0cDovL2xpc3Rz
LnNxdWlkLWNhY2hlLm9yZy9vcHRpb25zL3NxdWlkLWFubm91bmNlPiwKIDxtYWlsdG86c3F1aWQt
YW5ub3VuY2UtcmVxdWVzdEBsaXN0cy5zcXVpZC1jYWNoZS5vcmc/c3ViamVjdD11bnN1YnNjcmli
ZT4KTGlzdC1BcmNoaXZlOiA8aHR0cDovL2xpc3RzLnNxdWlkLWNhY2hlLm9yZy9waXBlcm1haWwv
c3F1aWQtYW5ub3VuY2UvPgpMaXN0LVBvc3Q6IDxtYWlsdG86c3F1aWQtYW5ub3VuY2VAbGlzdHMu
c3F1aWQtY2FjaGUub3JnPgpMaXN0LUhlbHA6IDxtYWlsdG86c3F1aWQtYW5ub3VuY2UtcmVxdWVz
dEBsaXN0cy5zcXVpZC1jYWNoZS5vcmc/c3ViamVjdD1oZWxwPgpMaXN0LVN1YnNjcmliZTogPGh0
dHA6Ly9saXN0cy5zcXVpZC1jYWNoZS5vcmcvbGlzdGluZm8vc3F1aWQtYW5ub3VuY2U+LAogPG1h
aWx0bzpzcXVpZC1hbm5vdW5jZS1yZXF1ZXN0QGxpc3RzLnNxdWlkLWNhY2hlLm9yZz9zdWJqZWN0
PXN1YnNjcmliZT4KQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFyc2V0PSJ1dGYtOCIKRXJy
b3JzLVRvOiBzcXVpZC1hbm5vdW5jZS1ib3VuY2VzQGxpc3RzLnNxdWlkLWNhY2hlLm9yZwpTZW5k
ZXI6ICJzcXVpZC1hbm5vdW5jZSIgPHNxdWlkLWFubm91bmNlLWJvdW5jZXNAbGlzdHMuc3F1aWQt
Y2FjaGUub3JnPgpYLVZpcnVzLVNjYW5uZWQ6IGNsYW1hdi1taWx0ZXIgMC45OS40IGF0IG1hc3Rl
ci5zcXVpZC1jYWNoZS5vcmcKWC1WaXJ1cy1TdGF0dXM6IENsZWFuCkF1dGhlbnRpY2F0aW9uLVJl
c3VsdHM6IG1haWwwMS5pcGZpcmUub3JnOwoJc3BmPXBhc3Mgc210cC5tYWlsZnJvbT1tc3RyZW1l
ckBnbWFpbC5jb20KWC1TcGFtZC1SZXN1bHQ6IGRlZmF1bHQ6IEZhbHNlIFstNi40NSAvIDExLjAw
XTsgUkNQVF9DT1VOVF9PTkUoMC4wMClbMV07CiBSV0xfTUFJTFNQSUtFX1BPU1NJQkxFKDAuMDAp
WzE3NS4yMTcuODUuMjA5LnJlcC5tYWlsc3Bpa2UubmV0IDogMTI3LjAuMC4xN107CiBGT1JHRURf
UkVDSVBJRU5UU19NQUlMTElTVCgwLjAwKVtdOyBSQ1ZEX0NPVU5UX1NFVkVOKDAuMDApWzddOwog
UkJMX1NPUkJTX1NBRkUoMS41MClbMTc1LjIxNy44NS4yMDkuc2FmZS5kbnNibC5zb3Jicy5uZXRd
OyBSX0RLSU1fTkEoMC4wMClbXTsKIEZST01fTkVRX0VOVkZST00oMC4wMClbc3F1aWQzQHRyZWVu
ZXQuY28ubnosbXN0cmVtZXJAZ21haWwuY29tXTsKIEJBWUVTX0hBTSgtMy4wMClbMTAwLjAwJV07
IFRPX0ROX05PTkUoMC4wMClbXTsgRlJPTV9IQVNfRE4oMC4wMClbXTsgCiA9P3V0Zi04P3E/Rk9S
R0VEPTVGUkVDSVBJRU5UUz0yODA9MkUwMD0yOT01QnNxdWlkLWFubm91bmNlPTQwbGlzdHM9MkVz
cXVpZC0/PQogPT91dGYtOD9xP2NhY2hlPTJFb3JnPTJDbWljaGFlbD00MHRyZW1lcj0yRWluZm89
NUQ9M0I/PQogRk9SR0VEX1NFTkRFUigwLjAwKVtzcXVpZDNAdHJlZW5ldC5jby5ueixtc3RyZW1l
ckBnbWFpbC5jb21dOwogTUFJTExJU1QoLTAuMjApW21haWxtYW5dOyBNSU1FX0dPT0QoLTAuMTAp
W3RleHQvcGxhaW5dOwogTUlNRV9CQVNFNjRfVEVYVCgwLjEwKVtdOyBNSURfUkhTX01BVENIX0ZS
T00oMC4wMClbXTsKIFRBR0dFRF9GUk9NKDAuMDApW2NhZl89bWljaGFlbD10cmVtZXJpbmZvXTsg
QVNOKDAuMDApW2FzbjoxNTE2OSwKIGlwbmV0OjIwOS44NS4xMjguMC8xNywgY291bnRyeTpVU107
IFJDVkRfVExTX0xBU1QoMC4wMClbXTsKIElQX1NDT1JFKC0zLjUzKVtpcDogKC05LjQxKSwgaXBu
ZXQ6IDIwOS44NS4xMjguMC8xNygtNC40OSksIGFzbjoKIDE1MTY5KC0zLjY0KSwgY291bnRyeTog
VVMoLTAuMTApXTsgRlJFRU1BSUxfRU5WRlJPTSgwLjAwKVtnbWFpbC5jb21dOwogRE1BUkNfTkEo
MC4wMClbdHJlZW5ldC5jby5uel07IEhBU19MSVNUX1VOU1VCKC0wLjAxKVtdOwogRk9SR0VEX1NF
TkRFUl9NQUlMTElTVCgwLjAwKVtdOwogUkNWRF9JTl9ETlNXTF9OT05FKDAuMDApWzE3NS4yMTcu
ODUuMjA5Lmxpc3QuZG5zd2wub3JnIDogMTI3LjAuNS4wXTsKIFJfU1BGX0FMTE9XKC0wLjIwKVsr
aXA0OjIwOS44NS4xMjguMC8xN107IFJDVkRfVklBX1NNVFBfQVVUSCgwLjAwKVtdOwogTVhfR09P
RCgtMC4wMSlbY2FjaGVkOiBhbHQzLmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tXTsKIEFSQ19B
TExPVygtMS4wMClbaT0xXQpYLVNwYW0tU3RhdHVzOiBObywgc2NvcmU9LTYuNDUKWC1Sc3BhbWQt
U2VydmVyOiBtYWlsMDEuaS5pcGZpcmUub3JnCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IDdi
aXQKClRoZSBTcXVpZCBIVFRQIFByb3h5IHRlYW0gaXMgdmVyeSBwbGVhc2VkIHRvIGFubm91bmNl
IHRoZSBhdmFpbGFiaWxpdHkKb2YgdGhlIFNxdWlkLTQuMSByZWxlYXNlIQoKClRoaXMgcmVsZWFz
ZSBpcyB3ZSBiZWxpZXZlLCBzdGFibGUgZW5vdWdoIGZvciBnZW5lcmFsIHByb2R1Y3Rpb24gdXNl
LgoKU3VwcG9ydCBmb3IgU3F1aWQtMy54IGJ1ZyBmaXhlcyBoYXMgbm93IG9mZmljaWFsbHkgY2Vh
c2VkLiBCdWdzIGluIDMuNQp3aWxsIGNvbnRpbnVlIHRvIGJlIGZpeGVkLCBob3dldmVyIHRoZSBm
aXhlcyB3aWxsIGJlIGFkZGVkIHRvIHRoZSA0LngKc2VyaWVzLiBBbGwgdXNlcnMgb2YgU3F1aWQt
My54IGFyZSBlbmNvdXJhZ2VkIHRvIHBsYW4gZm9yIHVwZ3JhZGVzLgoKCkEgc2hvcnQgbGlzdCBv
ZiB0aGUgbWFqb3IgbmV3IGZlYXR1cmVzIGlzOgoKICogUkZDIDYxNzYgY29tcGxpYW5jZSAoU1NM
djIgc3VwcG9ydCByZW1vdmFsKQogKiBTZWN1cmUgSUNBUCBzZXJ2aWNlIGNvbm5lY3Rpb25zCiAq
IEFkZCB1cmxfbGZzX3Jld3JpdGU6IGEgVVJMLXJld3JpdGVyIGJhc2VkIG9uIGxvY2FsIGZpbGUg
ZXhpc3RlbmNlCiAqIG9uX3Vuc3VwcG9ydGVkX3Byb3RvY29sIGRpcmVjdGl2ZSB0byBhbGxvdyBO
b24tSFRUUCBieXBhc3MKICogVXBkYXRlIGV4dGVybmFsX2FjbF90eXBlIGRpcmVjdGl2ZSB0byB1
c2UgbG9nZm9ybWF0IGNvZGVzCiAqIEV4cGVyaW1lbnRhbCBHbnVUTFMgc3VwcG9ydCBmb3Igc29t
ZSBUTFMgZmVhdHVyZXMKICogVExTL1NTTCByZWxhdGVkIGhlbHBlcnMgcmVuYW1lZAoKClNldmVy
YWwgZmVhdHVyZXMgaGF2ZSBiZWVuIHJlbW92ZWQgaW4gNC4xOgoKICogcmVmcmVzaF9wYXR0ZXJu
IGlnbm9yZS1hdXRoIGFuZCBpZ25vcmUtbXVzdC1yZXZhbGlkYXRlIG9wdGlvbnMKICogY2FjaGVf
cGVlcl9kb21haW4gZGlyZWN0aXZlCiAqIGJhc2ljX21zbnRfbXVsdGlfZG9tYWluX2F1dGggaGVs
cGVyCiAqIEVTSSBjdXN0b20gcGFyc2VyIC0gdXNlIFhNTDIgb3IgRXhwYXQgaW5zdGVhZC4KCkZ1
cnRoZXIgZGV0YWlscyBjYW4gYmUgZm91bmQgaW4gdGhlIHJlbGVhc2Ugbm90ZXMgb3IgdGhlIHdp
a2kuCmh0dHA6Ly93d3cuc3F1aWQtY2FjaGUub3JnL1ZlcnNpb25zL3Y0L1JFTEVBU0VOT1RFUy5o
dG1sCmh0dHA6Ly93aWtpLnNxdWlkLWNhY2hlLm9yZy9TcXVpZC00CgoKUGxlYXNlIHJlbWVtYmVy
IHRvIHJ1biAic3F1aWQgLWsgcGFyc2UiIHdoZW4gdGVzdGluZyB1cGdyYWRlIHRvIGEgbmV3CnZl
cnNpb24gb2YgU3F1aWQuIEl0IHdpbGwgYXVkaXQgeW91ciBjb25maWd1cmF0aW9uIGZpbGVzIGFu
ZCByZXBvcnQKYW55IGlkZW50aWZpYWJsZSBpc3N1ZXMgdGhlIG5ldyByZWxlYXNlIHdpbGwgaGF2
ZSBpbiB5b3VyIGluc3RhbGxhdGlvbgpiZWZvcmUgeW91ICJwcmVzcyBnbyIuCgpQbGVhc2UgYmUg
cGFydGljdWxhcmx5IGF3YXJlIHRoYXQgZm9yIHRoZSBUTFMgZmVhdHVyZXMgdGhlIHJlbW92YWwg
b2YKU1NMdjIgc3VwcG9ydCBtYXkgcmVxdWlyZSBtYW51YWwgYXR0ZW50aW9uIHRvIGNvbmZpZ3Vy
YXRpb24gc2V0dGluZ3MKd2hlbiB1cGdyYWRpbmcgZnJvbSBhbnkgU3F1aWQtMyBvciBvbGRlciB2
ZXJzaW9uLgoKCkFsbCBmZWF0dXJlIGFkZGl0aW9ucyBhcmUgY29uc2lkZXJlZCAqZXhwZXJpbWVu
dGFsKiB1bnRpbCB0aGV5IGhhdmUKc3Vydml2ZWQgYXQgbGVhc3Qgb25lIHNlcmllcyBvZiByZWxl
YXNlcyBpbiBnZW5lcmFsIHByb2R1Y3Rpb24gdXNlLgpQbGVhc2UgYmUgYXdhcmUgb2YgdGhhdCB3
aGVuIHJvbGxpbmcgb3V0IGZlYXR1cmVzIHdoaWNoIGFyZSBuZXcgaW4KdGhpcyBzZXJpZXMuIE5v
dCBhbGwgdXNlLWNhc2VzIGhhdmUgYmVlbiB3ZWxsIHRlc3RlZCB5ZXQgYW5kIHNvbWUgbWF5Cm5v
dCBldmVuIGhhdmUgYmVlbiBpbXBsZW1lbnRlZC4gQXNzaXN0YW5jZSBpcyBzdGlsbCBuZWVkZWQg
ZGVzcGl0ZSB0aGUKcmVsZWFzZXMgZ2VuZXJhbCBzdGFiaWxpdHkgbGV2ZWwuCgoKUGxhbnMgZm9y
IHRoZSBuZXh0IHNlcmllcyBvZiByZWxlYXNlcyBpcyBhbHJlYWR5IHdlbGwgdW5kZXJ3YXkuIE91
cgpmdXR1cmUgcmVsZWFzZSBwbGFucyBhbmQgdXBjb21pbmcgZmVhdHVyZXMgY2FuIGJlIGZvdW5k
IGF0OgpodHRwOi8vd2lraS5zcXVpZC1jYWNoZS5vcmcvUm9hZE1hcAoKCiBTZWUgdGhlIENoYW5n
ZUxvZyBmb3IgdGhlIGZ1bGwgbGlzdCBvZiBjaGFuZ2VzIGluIHRoaXMgYW5kIGVhcmxpZXIKIHJl
bGVhc2VzLgoKICBBbGwgdXNlcnMgb2YgU3F1aWQtNC4wIGJldGEgcmVsZWFzZXMgYXJlIHVyZ2Vk
IHRvIHVwZ3JhZGUgdG8gdGhpcwogIHJlbGVhc2UgYXMgc29vbiBhcyBwb3NzaWJsZS4KCiAgQWxs
IHVzZXJzIG9mIFNxdWlkLTMgYXJlIGVuY291cmFnZWQgdG8gdXBncmFkZXMgd2hlcmUgcG9zc2li
bGUuCgoKU2VlIHRoZSBDaGFuZ2VMb2cgZm9yIHRoZSBmdWxsIGxpc3Qgb2YgY2hhbmdlcyBpbiB0
aGlzIGFuZCBlYXJsaWVyCnJlbGVhc2VzLgoKUGxlYXNlIHJlZmVyIHRvIHRoZSByZWxlYXNlIG5v
dGVzIGF0Cmh0dHA6Ly93d3cuc3F1aWQtY2FjaGUub3JnL1ZlcnNpb25zL3Y0L1JFTEVBU0VOT1RF
Uy5odG1sCndoZW4geW91IGFyZSByZWFkeSB0byBtYWtlIHRoZSBzd2l0Y2ggdG8gU3F1aWQtNAoK
VGhpcyBuZXcgcmVsZWFzZSBjYW4gYmUgZG93bmxvYWRlZCBmcm9tIG91ciBIVFRQIG9yIEZUUCBz
ZXJ2ZXJzCgogIGh0dHA6Ly93d3cuc3F1aWQtY2FjaGUub3JnL1ZlcnNpb25zL3Y0LwogIGZ0cDov
L2Z0cC5zcXVpZC1jYWNoZS5vcmcvcHViL3NxdWlkLwogIGZ0cDovL2Z0cC5zcXVpZC1jYWNoZS5v
cmcvcHViL2FyY2hpdmUvNC8KCm9yIHRoZSBtaXJyb3JzLiBGb3IgYSBsaXN0IG9mIG1pcnJvciBz
aXRlcyBzZWUKCiAgaHR0cDovL3d3dy5zcXVpZC1jYWNoZS5vcmcvRG93bmxvYWQvaHR0cC1taXJy
b3JzLmh0bWwKICBodHRwOi8vd3d3LnNxdWlkLWNhY2hlLm9yZy9Eb3dubG9hZC9taXJyb3JzLmh0
bWwKCklmIHlvdSBlbmNvdW50ZXIgYW55IGlzc3VlcyB3aXRoIHRoaXMgcmVsZWFzZSBwbGVhc2Ug
ZmlsZSBhIGJ1ZyByZXBvcnQuCiAgaHR0cDovL2J1Z3Muc3F1aWQtY2FjaGUub3JnLwoKCkFtb3Mg
SmVmZnJpZXMKX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18K
c3F1aWQtYW5ub3VuY2UgbWFpbGluZyBsaXN0CnNxdWlkLWFubm91bmNlQGxpc3RzLnNxdWlkLWNh
Y2hlLm9yZwpodHRwOi8vbGlzdHMuc3F1aWQtY2FjaGUub3JnL2xpc3RpbmZvL3NxdWlkLWFubm91
bmNlCg==

--===============5374038360581794484==--


From michael.tremer@ipfire.org Wed Jul  4 10:17:03 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: 'collectd' and 'cpufreq' on IPFire Duobox - wrong path in initscript?
Date: Wed, 04 Jul 2018 10:17:02 +0100
Message-ID: <209fb2c11e4681b36caf9d5fb5b13ddb92bddf3f.camel@ipfire.org>
In-Reply-To: <e5561d5c3211d4d0e87b787f3c42669d@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2511033712657361900=="

--===============2511033712657361900==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Wed, 2018-07-04 at 01:09 +0200, Arne Fitzenreiter wrote:
> On some maschines the file i

The file was what?

>=20
> I think this need more investigation.
>=20
>=20
>=20
> > This was triggered by
> > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D37458540bf7=
27df09989
> > c10d640ad13c1a989029
> >=20
> > I thought some cpu graphs on my "Duo Box" could be helpful and=20
> > installed
> > 'cpufrequtils'.
> >=20
> > But after adding the above commit to '/etc/init.d/collectd'
> > and restarting 'collectd' =3D> no graphs appeared.
> >=20
> > Reason:
> > The needed directory '/sys/devices/system/cpu/cpufreq/policy0/' doesn't
> > exist on my machine, so the 'LoadPlugin' was always commented and
> > deactivated.
> >=20
> > Instead there are '/sys/devices/system/cpu/cpu0' and
> > '/sys/devices/system/cpu/cpu1'.
> >=20
> > So I tested this the hard way.
> >=20
> > After commenting the if-statement, everything is working, CPU graphs
> > appear and show reasonable values:
> >=20
> > ...
> > # Enable cpufreq plugin if cpufreq found
> > #if [ ! -e  /sys/devices/system/cpu/cpufreq/policy0/*_cur_freq ]; then
> > #	sed -i -e "s|^LoadPlugin cpufreq|#LoadPlugin cpufreq|g"=20
> > /etc/collectd.conf
> > #else
> > 	sed -i -e "s|^#LoadPlugin cpufreq|LoadPlugin cpufreq|g"=20
> > /etc/collectd.conf
> > #fi
> > ...
> >=20
> > Changed this to:
> >=20
> > ...
> > if [ ! -e /sys/devices/system/cpu/cpu0/cpufreq/*_cur_freq ]; then
> > ..
> >=20
> > But this gave me an error:
> >=20
> > /etc/init.d/collectd: line 95: [:
> > /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_cur_freq: binary operator
> > expected
> >=20
> > I changed the line to:
> >=20
> > ...
> > if [ ! -e /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_cur_freq ]; then
> > ...
> >=20
> > And now it is running as expected.
> >=20
> > Would this be ok for other machines?
> > Bug or feature - can anyone confirm?
> >=20
> > Best,
> > Matthias
> >=20
> > P.S.: I didn't forget the Telko - I was still at work. Too bad...

--===============2511033712657361900==--


From Arne.Fitzenreiter@ipfire.org Wed Jul  4 12:51:51 2018
From: Arne Fitzenreiter <Arne.Fitzenreiter@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: 'collectd' and 'cpufreq' on IPFire Duobox - wrong path in initscript?
Date: Wed, 04 Jul 2018 13:51:51 +0200
Message-ID: <0e61086c7d2dabbdbbe0f0a2f369af26@ipfire.org>
In-Reply-To: <209fb2c11e4681b36caf9d5fb5b13ddb92bddf3f.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3611305160148135891=="

--===============3611305160148135891==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On 2018-07-04 11:17, Michael Tremer wrote:
> On Wed, 2018-07-04 at 01:09 +0200, Arne Fitzenreiter wrote:
>> On some maschines the file i
>=20
> The file was what?
>=20
This was a mistake in my mail mail. I had written about cpuinfo_cur_freq=20
and deleted (not complete bacause my tablet has not showed it) this part=20
after i have readed the mail again and found the missing "profile0" in=20
Matthias path.

I had added the infos to the bug and wait for comments before i change=20
it again...


>>=20
>> I think this need more investigation.
>>=20
>>=20
>>=20
>> > This was triggered by
>> > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D37458540bf=
727df09989
>> > c10d640ad13c1a989029
>> >
>> > I thought some cpu graphs on my "Duo Box" could be helpful and
>> > installed
>> > 'cpufrequtils'.
>> >
>> > But after adding the above commit to '/etc/init.d/collectd'
>> > and restarting 'collectd' =3D> no graphs appeared.
>> >
>> > Reason:
>> > The needed directory '/sys/devices/system/cpu/cpufreq/policy0/' doesn't
>> > exist on my machine, so the 'LoadPlugin' was always commented and
>> > deactivated.
>> >
>> > Instead there are '/sys/devices/system/cpu/cpu0' and
>> > '/sys/devices/system/cpu/cpu1'.
>> >
>> > So I tested this the hard way.
>> >
>> > After commenting the if-statement, everything is working, CPU graphs
>> > appear and show reasonable values:
>> >
>> > ...
>> > # Enable cpufreq plugin if cpufreq found
>> > #if [ ! -e  /sys/devices/system/cpu/cpufreq/policy0/*_cur_freq ]; then
>> > #	sed -i -e "s|^LoadPlugin cpufreq|#LoadPlugin cpufreq|g"
>> > /etc/collectd.conf
>> > #else
>> > 	sed -i -e "s|^#LoadPlugin cpufreq|LoadPlugin cpufreq|g"
>> > /etc/collectd.conf
>> > #fi
>> > ...
>> >
>> > Changed this to:
>> >
>> > ...
>> > if [ ! -e /sys/devices/system/cpu/cpu0/cpufreq/*_cur_freq ]; then
>> > ..
>> >
>> > But this gave me an error:
>> >
>> > /etc/init.d/collectd: line 95: [:
>> > /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_cur_freq: binary operator
>> > expected
>> >
>> > I changed the line to:
>> >
>> > ...
>> > if [ ! -e /sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_cur_freq ]; then
>> > ...
>> >
>> > And now it is running as expected.
>> >
>> > Would this be ok for other machines?
>> > Bug or feature - can anyone confirm?
>> >
>> > Best,
>> > Matthias
>> >
>> > P.S.: I didn't forget the Telko - I was still at work. Too bad...

--===============3611305160148135891==--


From michael.tremer@ipfire.org Wed Jul  4 14:59:59 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Prevent internal server error cause of bad
 header wrapper
Date: Wed, 04 Jul 2018 14:59:57 +0100
Message-ID: <89a296105302b7c3d9fa8415e5e596676e3d635b.camel@ipfire.org>
In-Reply-To: <1530639659.13853.10.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8660101886492342832=="

--===============8660101886492342832==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

On Tue, 2018-07-03 at 19:40 +0200, ummeegge wrote:
> Hi Michael,
> 
> Am Dienstag, den 03.07.2018, 15:31 +0100 schrieb Michael Tremer:
> > Hi,
> > 
> > On Tue, 2018-07-03 at 14:18 +0200, ummeegge wrote:
> > > 
> > > Hi Michael,
> > > thanks for merging. I have seen that you´d applied version 1 of
> > > this
> > > patch
> > > https://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff;f=html/cgi-bin/
> > > ovpnmain.cg
> > > i;h=c0c7cff6d87f6e18206129ab196172be61683a38;hp=5cd19a0f38f564c54e6
> > > 72814e0b591
> > > 8134889b17;hb=15a3aa45cf27c61a581f892b5f3a3905335a12b0;hpb=8ae4010b
> > > 312830bce82
> > > 721325f0aeae524b2810a
> > > 
> > > but there´s a version 2 of it 
> > > https://patchwork.ipfire.org/patch/1842/ 
> > > which we should in any case prefer.
> > 
> > Oh sorry. If you can, please mark the v1 as such in Patchwork. I am
> > not sure if
> > we can trigger this automatically via email.
> 
> You mean to mark the first patch as v1 ? In that case i need to setup
> the old patch again as a new one and send it as answer to the v2 patch.

No, not as v1, but in Patchwork, when you log in manually, you can set a patch
as superseeded. It is a bit annoying to do this manually, but I do not know
about any better way.

> > > 
> > > P.S. I do have some more OpenVPN patches (extensions no bugs),
> > > should i commit
> > > some more or should we wait until the next release ?
> > 
> > What are those?
> 
> Wanted to finish the 2.4 OpenVPN project in the course which we did
> discussed some time ago. So i thought about this order:
> 
> 1) Automatic cipher negotiation for RWs only (checkbox in advanced
> section)

Isn't that something you would always want?

> 2) tls-crypt for N2N only (checkbox in N2N main menu).
> 3) LZ4 compression possibility for N2N and RW (menu with possiblity for
> none, lzo, lz4v2)

Yes, that should be a dropdown then instead of a checkbox.

> 4) Clean up ovpnmain.cgi from mtu-discovery since there are some old
> code blocks left.

Okay, cool.

> There is more but to get the old list shorter for the first.

I guess it is best to start with the cleanup and then send in the other things
one patch, or one patchset at a time.

Best,
-Michael

> 
> Best,
> 
> Erik

--===============8660101886492342832==--


From matthias.fischer@ipfire.org Wed Jul  4 15:54:29 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: [squid-announce] Squid 4.1 is available]
Date: Wed, 04 Jul 2018 16:54:33 +0200
Message-ID: <7a8c0ea5-6337-d29c-4944-4c980bdd78f5@ipfire.org>
In-Reply-To: <51c9b839bbe41426c9f84bda2d9e9343d9ec4d28.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8955907988883280990=="

--===============8955907988883280990==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On 04.07.2018 11:12, Michael Tremer wrote:
> Squid 4.1 has been released.

Yep.

> @Matthias: As far as I remember, you have been working on updating squid be=
fore.
> Will you have a look at this?

I'm "looking at it" right now. ;-)

When I came home, Devel was ready.

First compiled version (32bit) is running here. No seen problems.

But today they released the first patch
(http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd74072310c3b018=
f4b6a5b5c6be4816f72166.patch).
Great...

I think we're not affected ("There is a Segfault when opening long URLs
if Bump is enabled and the on_unsupported_protocol option is set. Proxy
mode is transparent.") but to be complete, I'd like to include this one.

This requires a clean build (~5:30 hours). Patched version will be ready
tomorrow. Ok?

Best,
Matthias

--===============8955907988883280990==--


From michael.tremer@ipfire.org Wed Jul  4 15:57:13 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: [squid-announce] Squid 4.1 is available]
Date: Wed, 04 Jul 2018 15:57:12 +0100
Message-ID: <dab11da4f7181d039c49a3e22ef0cbd8df8b12f0.camel@ipfire.org>
In-Reply-To: <7a8c0ea5-6337-d29c-4944-4c980bdd78f5@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1867460215550682354=="

--===============1867460215550682354==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Wed, 2018-07-04 at 16:54 +0200, Matthias Fischer wrote:
> Hi,
>=20
> On 04.07.2018 11:12, Michael Tremer wrote:
> > Squid 4.1 has been released.
>=20
> Yep.
>=20
> > @Matthias: As far as I remember, you have been working on updating squid
> > before.
> > Will you have a look at this?
>=20
> I'm "looking at it" right now. ;-)
>=20
> When I came home, Devel was ready.
>=20
> First compiled version (32bit) is running here. No seen problems.
>=20
> But today they released the first patch
> (http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd74072310c3b0=
18f
> 4b6a5b5c6be4816f72166.patch).
> Great...
>=20
> I think we're not affected ("There is a Segfault when opening long URLs
> if Bump is enabled and the on_unsupported_protocol option is set. Proxy
> mode is transparent.") but to be complete, I'd like to include this one.
>=20
> This requires a clean build (~5:30 hours). Patched version will be ready
> tomorrow. Ok?

No hurry at all. I guess this already shows us that we should not migrate to
squid 4, yet. There are still many bugs in it. But what we need to do is to
review the proxy.cgi and see if the configuration file is valid and make chan=
ges
if required.

-Michael

>=20
> Best,
> Matthias

--===============1867460215550682354==--


From matthias.fischer@ipfire.org Wed Jul  4 16:04:36 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: [squid-announce] Squid 4.1 is available]
Date: Wed, 04 Jul 2018 17:04:35 +0200
Message-ID: <bc76867f-9876-1650-4df3-84efed2ec8dc@ipfire.org>
In-Reply-To: <dab11da4f7181d039c49a3e22ef0cbd8df8b12f0.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9218845088449979169=="

--===============9218845088449979169==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On 04.07.2018 16:57, Michael Tremer wrote:
> On Wed, 2018-07-04 at 16:54 +0200, Matthias Fischer wrote:
>> Hi,
>>=20
>> On 04.07.2018 11:12, Michael Tremer wrote:
>> > Squid 4.1 has been released.
>>=20
>> Yep.
>>=20
>> > @Matthias: As far as I remember, you have been working on updating squid
>> > before.
>> > Will you have a look at this?
>>=20
>> I'm "looking at it" right now. ;-)
>>=20
>> When I came home, Devel was ready.
>>=20
>> First compiled version (32bit) is running here. No seen problems.
>>=20
>> But today they released the first patch
>> (http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd74072310c3b=
018f
>> 4b6a5b5c6be4816f72166.patch).
>> Great...
>>=20
>> I think we're not affected ("There is a Segfault when opening long URLs
>> if Bump is enabled and the on_unsupported_protocol option is set. Proxy
>> mode is transparent.") but to be complete, I'd like to include this one.
>>=20
>> This requires a clean build (~5:30 hours). Patched version will be ready
>> tomorrow. Ok?
>=20
> No hurry at all. I guess this already shows us that we should not migrate to
> squid 4, yet. There are still many bugs in it. But what we need to do is to
> review the proxy.cgi and see if the configuration file is valid and make ch=
anges
> if required.

Im testing the squid4-branch since ~4.0.22, 'squid -k parse' hasn't
shown an error since then, except this one - and I can't find the reason:

"WARNING: Ignoring error setting default trusted CA : An unimplemented
or disabled feature has been requested."

For me, its running stable - but I keep my eyes on this.

Best,
Matthias

--===============9218845088449979169==--


From matthias.fischer@ipfire.org Wed Jul  4 17:15:08 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Loaded module - speedstep_lib - needed or safe to unload
Date: Wed, 04 Jul 2018 18:15:07 +0200
Message-ID: <b9760367-fe94-ef2e-d40d-e6ff82376a9d@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3650833854595827196=="

--===============3650833854595827196==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Yesterday I tested 'cpufrequtil', but it looks as I don'T need it, so I
uninstalled it.

It loaded some modules per 'modprobe'. I searched per 'lsmod' and
already unloaded 'cpufreq_conservative' and 'cpufreq_ondemand'. CPU
graphs still show up, everything seems to be working.

But there is one module left which I'm not sure of, 'speedstep_lib'
which is loaded by the init script of 'cpufreq':

...
# try cpufreq hardware depend modules
	for i in $(find /lib/modules/$(uname -r)/kernel/drivers/cpufreq \
		! -name speedstep-lib.ko ! -name p4-clockmod.ko ! -name "cpufreq_*" ! -name=
 mperf.ko | sort -d -r); do
...

Is it safe to unload this module per 'modprobe -r ...'?

I want to avoid a complete reboot...

Thanks for all tips!

Best,
Matthias

--===============3650833854595827196==--


From michael.tremer@ipfire.org Wed Jul  4 17:43:39 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: [squid-announce] Squid 4.1 is available]
Date: Wed, 04 Jul 2018 17:43:38 +0100
Message-ID: <75be0f91059782319bfc82621ac4df7646f35dfa.camel@ipfire.org>
In-Reply-To: <bc76867f-9876-1650-4df3-84efed2ec8dc@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0138943121708922491=="

--===============0138943121708922491==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Wed, 2018-07-04 at 17:04 +0200, Matthias Fischer wrote:
> On 04.07.2018 16:57, Michael Tremer wrote:
> > On Wed, 2018-07-04 at 16:54 +0200, Matthias Fischer wrote:
> > > Hi,
> > >=20
> > > On 04.07.2018 11:12, Michael Tremer wrote:
> > > > Squid 4.1 has been released.
> > >=20
> > > Yep.
> > >=20
> > > > @Matthias: As far as I remember, you have been working on updating sq=
uid
> > > > before.
> > > > Will you have a look at this?
> > >=20
> > > I'm "looking at it" right now. ;-)
> > >=20
> > > When I came home, Devel was ready.
> > >=20
> > > First compiled version (32bit) is running here. No seen problems.
> > >=20
> > > But today they released the first patch
> > > (http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd74072310=
c3b
> > > 018f
> > > 4b6a5b5c6be4816f72166.patch).
> > > Great...
> > >=20
> > > I think we're not affected ("There is a Segfault when opening long URLs
> > > if Bump is enabled and the on_unsupported_protocol option is set. Proxy
> > > mode is transparent.") but to be complete, I'd like to include this one.
> > >=20
> > > This requires a clean build (~5:30 hours). Patched version will be ready
> > > tomorrow. Ok?
> >=20
> > No hurry at all. I guess this already shows us that we should not migrate=
 to
> > squid 4, yet. There are still many bugs in it. But what we need to do is =
to
> > review the proxy.cgi and see if the configuration file is valid and make
> > changes
> > if required.
>=20
> Im testing the squid4-branch since ~4.0.22, 'squid -k parse' hasn't
> shown an error since then, except this one - and I can't find the reason:
>=20
> "WARNING: Ignoring error setting default trusted CA : An unimplemented
> or disabled feature has been requested."

Did you go through the changelog to identify any configuration options that y=
ou
might not be using and which have been discontinued?

Best,
-Michael

>=20
> For me, its running stable - but I keep my eyes on this.
>=20
> Best,
> Matthias

--===============0138943121708922491==--


From michael.tremer@ipfire.org Wed Jul  4 17:48:08 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] usbutils: update to 010
Date: Wed, 04 Jul 2018 17:48:07 +0100
Message-ID: <2978ffce9c559633cff952dcc2ea90151686232a.camel@ipfire.org>
In-Reply-To: <cf744d8b-b4d7-c7b6-8af1-361ea9ac97ee@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8949475387401654763=="

--===============8949475387401654763==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

this patch was missing a check of the rootfile.

  https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D9aefd1ed07eee=
7d83e5b274d4a83240811f9e091

Please run a clean build to make sure that there have been no changes.

Best,
-Michael

On Sat, 2018-06-30 at 17:04 +0200, Peter M=C3=BCller wrote:
> Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> ---
>  lfs/usbutils | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>=20
> diff --git a/lfs/usbutils b/lfs/usbutils
> index 51192e7e7..41494cf10 100644
> --- a/lfs/usbutils
> +++ b/lfs/usbutils
> @@ -24,7 +24,7 @@
> =20
>  include Config
> =20
> -VER        =3D 007
> +VER        =3D 010
> =20
>  THISAPP    =3D usbutils-$(VER)
>  DL_FILE    =3D $(THISAPP).tar.xz
> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
> =20
>  $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
> =20
> -$(DL_FILE)_MD5 =3D c9df5107ae9d26b10a1736a261250139
> +$(DL_FILE)_MD5 =3D 938e3707593974be99a0dd6d1de76671
> =20
>  install : $(TARGET)
> =20

--===============8949475387401654763==--


From matthias.fischer@ipfire.org Wed Jul  4 19:52:07 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: [squid-announce] Squid 4.1 is available]
Date: Wed, 04 Jul 2018 20:52:07 +0200
Message-ID: <9aa23d5a-0f10-2508-a2c5-707b78193f9d@ipfire.org>
In-Reply-To: <75be0f91059782319bfc82621ac4df7646f35dfa.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1708043523905779737=="

--===============1708043523905779737==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On 04.07.2018 18:43, Michael Tremer wrote:
> On Wed, 2018-07-04 at 17:04 +0200, Matthias Fischer wrote:
>> On 04.07.2018 16:57, Michael Tremer wrote:
>> > On Wed, 2018-07-04 at 16:54 +0200, Matthias Fischer wrote:
>> > > Hi,
>> > >=20
>> > > On 04.07.2018 11:12, Michael Tremer wrote:
>> > > > Squid 4.1 has been released.
>> > >=20
>> > > Yep.
>> > >=20
>> > > > @Matthias: As far as I remember, you have been working on updating s=
quid
>> > > > before.
>> > > > Will you have a look at this?
>> > >=20
>> > > I'm "looking at it" right now. ;-)
>> > >=20
>> > > When I came home, Devel was ready.
>> > >=20
>> > > First compiled version (32bit) is running here. No seen problems.
>> > >=20
>> > > But today they released the first patch
>> > > (http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd7407231=
0c3b
>> > > 018f
>> > > 4b6a5b5c6be4816f72166.patch).
>> > > Great...
>> > >=20
>> > > I think we're not affected ("There is a Segfault when opening long URLs
>> > > if Bump is enabled and the on_unsupported_protocol option is set. Proxy
>> > > mode is transparent.") but to be complete, I'd like to include this on=
e.
>> > >=20
>> > > This requires a clean build (~5:30 hours). Patched version will be rea=
dy
>> > > tomorrow. Ok?
>> >=20
>> > No hurry at all. I guess this already shows us that we should not migrat=
e to
>> > squid 4, yet. There are still many bugs in it. But what we need to do is=
 to
>> > review the proxy.cgi and see if the configuration file is valid and make
>> > changes
>> > if required.
>>=20
>> Im testing the squid4-branch since ~4.0.22, 'squid -k parse' hasn't
>> shown an error since then, except this one - and I can't find the reason:
>>=20
>> "WARNING: Ignoring error setting default trusted CA : An unimplemented
>> or disabled feature has been requested."
>=20
> Did you go through the changelog to identify any configuration options that=
 you
> might not be using and which have been discontinued?

Yes, but I didn't find an option or something in the squid conf - with
MY eyes - that could me to the culprit.

What I found:
That warning is triggered by 'PeerOptions.cc':

...
    if (!flags.tlsDefaultCa)
        return;

    if (const char *err =3D loadSystemTrustedCa(ctx)) {
        debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting
default trusted CA : " << err);
    }
...

Which leads me to:

...
loadSystemTrustedCa(Security::ContextPointer &ctx)
{
    debugs(83, 8, "Setting default system Trusted CA. ctx=3D" <<
(void*)ctx.get());
#if USE_OPENSSL
    if (SSL_CTX_set_default_verify_paths(ctx.get()) =3D=3D 0)
        return Security::ErrorString(ERR_get_error());

#elif USE_GNUTLS
    auto x =3D gnutls_certificate_set_x509_system_trust(ctx.get());
    if (x < 0)
        return Security::ErrorString(x);
...

Perhaps we should add ---without-gnutls'?

Since SSL is already disabled that is the only option I can think of and
it clearly is found by 'squid':

...
checking for LIBGNUTLS... yes
checking gnutls/gnutls.h usability... yes
checking gnutls/gnutls.h presence... yes
checking for gnutls/gnutls.h... yes
checking gnutls/x509.h usability... yes
checking gnutls/x509.h presence... yes
checking for gnutls/x509.h... yes
checking gnutls/abstract.h usability... yes
checking gnutls/abstract.h presence... yes
checking for gnutls/abstract.h... yes
configure: GnuTLS library support: auto  -lgnutls
...

Best,
Matthias

--===============1708043523905779737==--


From ummeegge@ipfire.org Wed Jul  4 23:59:59 2018
From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] OpenVPN: Prevent internal server error cause of bad
 header wrapper
Date: Thu, 05 Jul 2018 00:59:25 +0200
Message-ID: <87e8401791fdde1f7548d6787e7020161ae70b6b.camel@ipfire.org>
In-Reply-To: <89a296105302b7c3d9fa8415e5e596676e3d635b.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1132444984627325152=="

--===============1132444984627325152==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hi Michael,

Am Mittwoch, den 04.07.2018, 14:59 +0100 schrieb Michael Tremer:

> > 
> > You mean to mark the first patch as v1 ? In that case i need to
> > setup
> > the old patch again as a new one and send it as answer to the v2
> > patch.
> 
> No, not as v1, but in Patchwork, when you log in manually, you can
> set a patch
> as superseeded. It is a bit annoying to do this manually, but I do
> not know
> about any better way.
OK, new ways :-). But i do have currently no access with my
credentials.


> 
> > > > 
> > > > P.S. I do have some more OpenVPN patches (extensions no bugs),
> > > > should i commit
> > > > some more or should we wait until the next release ?
> > > 
> > > What are those?
> > 
> > Wanted to finish the 2.4 OpenVPN project in the course which we did
> > discussed some time ago. So i thought about this order:
> > 
> > 1) Automatic cipher negotiation for RWs only (checkbox in advanced
> > section)
> 
> Isn't that something you would always want?
Might be a good opportunity for people with lot´s of clients and old
configuration files but an updated OpenVPN client. No new config
transfer is needed in that case but AES-GCM can nevertheless be used,
if too old (< 2.3.x), the before configured algorithms will be used.


> 
> > 2) tls-crypt for N2N only (checkbox in N2N main menu).
> > 3) LZ4 compression possibility for N2N and RW (menu with possiblity
> > for
> > none, lzo, lz4v2)
> 
> Yes, that should be a dropdown then instead of a checkbox.
Done already.

> 
> > 4) Clean up ovpnmain.cgi from mtu-discovery since there are some
> > old
> > code blocks left.
> 
> Okay, cool.
> 
> > There is more but to get the old list shorter for the first.
> 
> I guess it is best to start with the cleanup and then send in the
> other things
> one patch, or one patchset at a time.
This is how we do it.

Best,


Erik





--===============1132444984627325152==--


From alexander.marx@ipfire.org Thu Jul  5 04:40:07 2018
From: Alexander Marx <alexander.marx@ipfire.org>
To: development@lists.ipfire.org
Subject: Core 120 openvpn
Date: Thu, 05 Jul 2018 05:40:06 +0200
Message-ID: <b0d1aaf8-7655-5d1e-baa4-1375beb4ecb7@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4883313468685960792=="

--===============4883313468685960792==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Dear list,

after having trouble upgrading my IPFire 119 to 120 (all OpenVPN
connections didn't work anymore)
i downgraded again.
Now i just upgraded my local linux os to Ubuntu 18.04 and my OpenVPN
client was not able to connect anymore due to TLS/verification failure.

Ok i thought, lets start a fresh install and test if the new core 120
will do it. Now the hassle starts:

Installed core 120, made a new CA and created an OpenVPN roadwarrior
connection.

I am NOT able to even import my OpenVPN connection into my OS because
the config is not recognised as an OpenVPN connection?!

More investigation showed up that there are MISSING parts in the
client-config.
The config showed:

#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu
pkcs12 marx.p12
cipher
verb 3
ns-cert-type server
verify-x509-name oabusv.dyndns.org name

Missing parts:
1) comp-lzo was not added
2) tun-mtu has no value (should be 1400 here)
3) "remote <servername>"" was missing completely
4) "cipher" has no value (should be AES-256-CBC here)

After adding these parts i was able to connect.

Can somebody confirm this?

I wonder if people are able to use IPFire with OpenVPN when using Core
120......

Cheers,

Alex



--===============4883313468685960792==
Content-Type: text/html
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"
MIME-Version: 1.0

PGh0bWw+CiAgPGhlYWQ+CgogICAgPG1ldGEgaHR0cC1lcXVpdj0iY29udGVudC10eXBlIiBjb250
ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiPgogIDwvaGVhZD4KICA8Ym9keSB0ZXh0PSIj
MDAwMDAwIiBiZ2NvbG9yPSIjRkZGRkZGIj4KICAgIDxmb250IGZhY2U9IkhlbHZldGljYSwgQXJp
YWwsIHNhbnMtc2VyaWYiPkRlYXIgbGlzdCw8YnI+CiAgICAgIDxicj4KICAgICAgYWZ0ZXIgaGF2
aW5nIHRyb3VibGUgdXBncmFkaW5nIG15IElQRmlyZSAxMTkgdG8gMTIwIChhbGwgT3BlblZQTgog
ICAgICBjb25uZWN0aW9ucyBkaWRuJ3Qgd29yayBhbnltb3JlKTxicj4KICAgICAgaSBkb3duZ3Jh
ZGVkIGFnYWluLjxicj4KICAgICAgTm93IGkganVzdCB1cGdyYWRlZCBteSBsb2NhbCBsaW51eCBv
cyB0byBVYnVudHUgMTguMDQgYW5kIG15CiAgICAgIE9wZW5WUE4gY2xpZW50IHdhcyBub3QgYWJs
ZSB0byBjb25uZWN0IGFueW1vcmUgZHVlIHRvIFRMUy92ZXJpZmljYXRpb24KICAgICAgZmFpbHVy
ZS48YnI+CiAgICAgIDxicj4KICAgICAgT2sgaSB0aG91Z2h0LCBsZXRzIHN0YXJ0IGEgZnJlc2gg
aW5zdGFsbCBhbmQgdGVzdCBpZiB0aGUgbmV3IGNvcmUKICAgICAgMTIwIHdpbGwgZG8gaXQuIE5v
dyB0aGUgaGFzc2xlIHN0YXJ0czo8YnI+CiAgICAgIDxicj4KICAgICAgSW5zdGFsbGVkIGNvcmUg
MTIwLCBtYWRlIGEgbmV3IENBIGFuZCBjcmVhdGVkIGFuIE9wZW5WUE4KICAgICAgcm9hZHdhcnJp
b3IgY29ubmVjdGlvbi48YnI+CiAgICAgIDxicj4KICAgICAgSSBhbSBOT1QgYWJsZSB0byBldmVu
IGltcG9ydCBteSBPcGVuVlBOIGNvbm5lY3Rpb24gaW50byBteSBPUwogICAgICBiZWNhdXNlIHRo
ZSBjb25maWcgaXMgbm90IHJlY29nbmlzZWQgYXMgYW4gT3BlblZQTiBjb25uZWN0aW9uPyE8YnI+
CiAgICAgIDxicj4KICAgICAgTW9yZSBpbnZlc3RpZ2F0aW9uIHNob3dlZCB1cCB0aGF0IHRoZXJl
IGFyZSBNSVNTSU5HIHBhcnRzIGluIHRoZQogICAgICBjbGllbnQtY29uZmlnLjxicj4KICAgICAg
VGhlIGNvbmZpZyBzaG93ZWQ6PGJyPgogICAgICA8YnI+CiAgICAgICNPcGVuVlBOIENsaWVudCBj
b25mPGJyPgogICAgICB0bHMtY2xpZW50PGJyPgogICAgICBjbGllbnQ8YnI+CiAgICAgIG5vYmlu
ZDxicj4KICAgICAgZGV2IHR1bjxicj4KICAgICAgcHJvdG8gdWRwPGJyPgogICAgICB0dW4tbXR1
IDxicj4KICAgICAgcGtjczEyIG1hcngucDEyPGJyPgogICAgICBjaXBoZXIgPGJyPgogICAgICB2
ZXJiIDM8YnI+CiAgICAgIG5zLWNlcnQtdHlwZSBzZXJ2ZXI8YnI+CiAgICAgIHZlcmlmeS14NTA5
LW5hbWUgb2FidXN2LmR5bmRucy5vcmcgbmFtZTxicj4KICAgICAgPGJyPgogICAgICBNaXNzaW5n
IHBhcnRzOjxicj4KICAgICAgMSkgY29tcC1sem8gd2FzIG5vdCBhZGRlZDxicj4KICAgICAgMikg
dHVuLW10dSBoYXMgbm8gdmFsdWUgKHNob3VsZCBiZSAxNDAwIGhlcmUpPGJyPgogICAgICAzKSAi
cmVtb3RlICZsdDtzZXJ2ZXJuYW1lJmd0OyIiIHdhcyBtaXNzaW5nIGNvbXBsZXRlbHk8YnI+CiAg
ICAgIDQpICJjaXBoZXIiIGhhcyBubyB2YWx1ZSAoc2hvdWxkIGJlIEFFUy0yNTYtQ0JDIGhlcmUp
PGJyPgogICAgICA8YnI+CiAgICAgIEFmdGVyIGFkZGluZyB0aGVzZSBwYXJ0cyBpIHdhcyBhYmxl
IHRvIGNvbm5lY3QuPGJyPgogICAgICA8YnI+CiAgICAgIENhbiBzb21lYm9keSBjb25maXJtIHRo
aXM/PGJyPgogICAgICA8YnI+CiAgICAgIEkgd29uZGVyIGlmIHBlb3BsZSBhcmUgYWJsZSB0byB1
c2UgSVBGaXJlIHdpdGggT3BlblZQTiB3aGVuIHVzaW5nCiAgICAgIENvcmUgMTIwLi4uLi4uPGJy
PgogICAgICA8YnI+CiAgICAgIENoZWVycyw8YnI+CiAgICAgIDxicj4KICAgICAgQWxleDxicj4K
ICAgIDwvZm9udD4KICA8L2JvZHk+CjwvaHRtbD4K

--===============4883313468685960792==--


From ummeegge@ipfire.org Thu Jul  5 12:51:39 2018
From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Core 120 openvpn
Date: Thu, 05 Jul 2018 13:51:33 +0200
Message-ID: <3036b7899354be8400f6d0213ac6a6858756c252.camel@ipfire.org>
In-Reply-To: <b0d1aaf8-7655-5d1e-baa4-1375beb4ecb7@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1572219715616871073=="

--===============1572219715616871073==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hi Alex,
i can not confirm one of these problems here, have seen also nobody
with that kind of problems in the forum after the update to Core 120.
Problems which has been occured where
- Too old CAs with MD5 in it which the new OpenVPN to not accept
anymore.
- DH-Parameter with 1024 bit which are also not accepted by OpenVPN
anymore.
- Missing Valid til Days value which the new OpenSSL do not accept
anymore.

I use 2.4.5 (meanwhile also 2.4.6 next update) for N2N and RWs on
updated machines but also fresh installed one´s and have no problem at
all. There was also positive feedback in the forum and also a longer
testing period for this update whereby none of this problems occurs...

So am not sure where this comes from ??

Cheers,

Erik


Am Donnerstag, den 05.07.2018, 05:40 +0200 schrieb Alexander Marx:
> Dear list,
> 
> after having trouble upgrading my IPFire 119 to 120 (all OpenVPN
> connections didn't work anymore)
> i downgraded again.
> Now i just upgraded my local linux os to Ubuntu 18.04 and my OpenVPN
> client was not able to connect anymore due to TLS/verification
> failure.
> 
> Ok i thought, lets start a fresh install and test if the new core 120
> will do it. Now the hassle starts:
> 
> Installed core 120, made a new CA and created an OpenVPN roadwarrior
> connection.
> 
> I am NOT able to even import my OpenVPN connection into my OS because
> the config is not recognised as an OpenVPN connection?!
> 
> More investigation showed up that there are MISSING parts in the
> client-config.
> The config showed:
> 
> #OpenVPN Client conf
> tls-client
> client
> nobind
> dev tun
> proto udp
> tun-mtu 
> pkcs12 marx.p12
> cipher 
> verb 3
> ns-cert-type server
> verify-x509-name oabusv.dyndns.org name
> 
> Missing parts:
> 1) comp-lzo was not added
> 2) tun-mtu has no value (should be 1400 here)
> 3) "remote <servername>"" was missing completely
> 4) "cipher" has no value (should be AES-256-CBC here)
> 
> After adding these parts i was able to connect.
> 
> Can somebody confirm this?
> 
> I wonder if people are able to use IPFire with OpenVPN when using
> Core 120......
> 
> Cheers,
> 
> Alex

--===============1572219715616871073==--


From trymes@rymes.com Thu Jul  5 13:09:08 2018
From: Tom Rymes <trymes@rymes.com>
To: development@lists.ipfire.org
Subject: Re: Core 120 openvpn
Date: Thu, 05 Jul 2018 08:09:05 -0400
Message-ID: <58156907-7F95-48FF-8752-EF35EF30D358@rymes.com>
In-Reply-To: <3036b7899354be8400f6d0213ac6a6858756c252.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1582629472668762372=="

--===============1582629472668762372==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Alex,

Did your problems appear after a pakfire upgrade to 120, or did you install 1=
20 and apply a backup from 119?

Tom

> On Jul 5, 2018, at 7:52 AM, ummeegge <ummeegge(a)ipfire.org> wrote:
>=20
> Hi Alex,
> i can not confirm one of these problems here, have seen also nobody
> with that kind of problems in the forum after the update to Core 120.
> Problems which has been occured where
> - Too old CAs with MD5 in it which the new OpenVPN to not accept
> anymore.
> - DH-Parameter with 1024 bit which are also not accepted by OpenVPN
> anymore.
> - Missing Valid til Days value which the new OpenSSL do not accept
> anymore.
>=20
> I use 2.4.5 (meanwhile also 2.4.6 next update) for N2N and RWs on
> updated machines but also fresh installed one=C2=B4s and have no problem at
> all. There was also positive feedback in the forum and also a longer
> testing period for this update whereby none of this problems occurs...
>=20
> So am not sure where this comes from ??
>=20
> Cheers,
>=20
> Erik
>=20
>=20
> Am Donnerstag, den 05.07.2018, 05:40 +0200 schrieb Alexander Marx:
>> Dear list,
>>=20
>> after having trouble upgrading my IPFire 119 to 120 (all OpenVPN
>> connections didn't work anymore)
>> i downgraded again.
>> Now i just upgraded my local linux os to Ubuntu 18.04 and my OpenVPN
>> client was not able to connect anymore due to TLS/verification
>> failure.
>>=20
>> Ok i thought, lets start a fresh install and test if the new core 120
>> will do it. Now the hassle starts:
>>=20
>> Installed core 120, made a new CA and created an OpenVPN roadwarrior
>> connection.
>>=20
>> I am NOT able to even import my OpenVPN connection into my OS because
>> the config is not recognised as an OpenVPN connection?!
>>=20
>> More investigation showed up that there are MISSING parts in the
>> client-config.
>> The config showed:
>>=20
>> #OpenVPN Client conf
>> tls-client
>> client
>> nobind
>> dev tun
>> proto udp
>> tun-mtu=20
>> pkcs12 marx.p12
>> cipher=20
>> verb 3
>> ns-cert-type server
>> verify-x509-name oabusv.dyndns.org name
>>=20
>> Missing parts:
>> 1) comp-lzo was not added
>> 2) tun-mtu has no value (should be 1400 here)
>> 3) "remote <servername>"" was missing completely
>> 4) "cipher" has no value (should be AES-256-CBC here)
>>=20
>> After adding these parts i was able to connect.
>>=20
>> Can somebody confirm this?
>>=20
>> I wonder if people are able to use IPFire with OpenVPN when using
>> Core 120......
>>=20
>> Cheers,
>>=20
>> Alex


--===============1582629472668762372==--


From matthias.fischer@ipfire.org Thu Jul  5 15:55:21 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: [squid-announce] Squid 4.1 is available]
Date: Thu, 05 Jul 2018 16:55:19 +0200
Message-ID: <1cc95aa3-7bb0-230d-dc24-76b0f8b20e4a@ipfire.org>
In-Reply-To: <9aa23d5a-0f10-2508-a2c5-707b78193f9d@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2078659473712102542=="

--===============2078659473712102542==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Found something, see below.

On 04.07.2018 20:52, Matthias Fischer wrote:
> On 04.07.2018 18:43, Michael Tremer wrote:
>> On Wed, 2018-07-04 at 17:04 +0200, Matthias Fischer wrote:
>>> On 04.07.2018 16:57, Michael Tremer wrote:
>>> > On Wed, 2018-07-04 at 16:54 +0200, Matthias Fischer wrote:
>>> > > Hi,
>>> > >=20
>>> > > On 04.07.2018 11:12, Michael Tremer wrote:
>>> > > > Squid 4.1 has been released.
>>> > >=20
>>> > > Yep.
>>> > >=20
>>> > > > @Matthias: As far as I remember, you have been working on updating =
squid
>>> > > > before.
>>> > > > Will you have a look at this?
>>> > >=20
>>> > > I'm "looking at it" right now. ;-)
>>> > >=20
>>> > > When I came home, Devel was ready.
>>> > >=20
>>> > > First compiled version (32bit) is running here. No seen problems.
>>> > >=20
>>> > > But today they released the first patch
>>> > > (http://www.squid-cache.org/Versions/v4/changesets/squid-4-01fd740723=
10c3b
>>> > > 018f
>>> > > 4b6a5b5c6be4816f72166.patch).
>>> > > Great...
>>> > >=20
>>> > > I think we're not affected ("There is a Segfault when opening long UR=
Ls
>>> > > if Bump is enabled and the on_unsupported_protocol option is set. Pro=
xy
>>> > > mode is transparent.") but to be complete, I'd like to include this o=
ne.
>>> > >=20
>>> > > This requires a clean build (~5:30 hours). Patched version will be re=
ady
>>> > > tomorrow. Ok?
>>> >=20
>>> > No hurry at all. I guess this already shows us that we should not migra=
te to
>>> > squid 4, yet. There are still many bugs in it. But what we need to do i=
s to
>>> > review the proxy.cgi and see if the configuration file is valid and make
>>> > changes
>>> > if required.
>>>=20
>>> Im testing the squid4-branch since ~4.0.22, 'squid -k parse' hasn't
>>> shown an error since then, except this one - and I can't find the reason:
>>>=20
>>> "WARNING: Ignoring error setting default trusted CA : An unimplemented
>>> or disabled feature has been requested."
>>=20
>> Did you go through the changelog to identify any configuration options tha=
t you
>> might not be using and which have been discontinued?
>=20
> Yes, but I didn't find an option or something in the squid conf - with
> MY eyes - that could me to the culprit.
>=20
> What I found:
> That warning is triggered by 'PeerOptions.cc':
>=20
> ...
>     if (!flags.tlsDefaultCa)
>         return;
>=20
>     if (const char *err =3D loadSystemTrustedCa(ctx)) {
>         debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting
> default trusted CA : " << err);
>     }
> ...
>=20
> Which leads me to:
>=20
> ...
> loadSystemTrustedCa(Security::ContextPointer &ctx)
> {
>     debugs(83, 8, "Setting default system Trusted CA. ctx=3D" <<
> (void*)ctx.get());
> #if USE_OPENSSL
>     if (SSL_CTX_set_default_verify_paths(ctx.get()) =3D=3D 0)
>         return Security::ErrorString(ERR_get_error());
>=20
> #elif USE_GNUTLS
>     auto x =3D gnutls_certificate_set_x509_system_trust(ctx.get());
>     if (x < 0)
>         return Security::ErrorString(x);
> ...
>=20
> Perhaps we should add ---without-gnutls'?
>=20
> Since SSL is already disabled that is the only option I can think of and
> it clearly is found by 'squid':
>=20
> ...
> checking for LIBGNUTLS... yes
> checking gnutls/gnutls.h usability... yes
> checking gnutls/gnutls.h presence... yes
> checking for gnutls/gnutls.h... yes
> checking gnutls/x509.h usability... yes
> checking gnutls/x509.h presence... yes
> checking for gnutls/x509.h... yes
> checking gnutls/abstract.h usability... yes
> checking gnutls/abstract.h presence... yes
> checking for gnutls/abstract.h... yes
> configure: GnuTLS library support: auto  -lgnutls
> ...
>=20

After adding 'without-gnutls' and another clean build, warning is gone.

New version is running.

Best,
Matthias



--===============2078659473712102542==--


From matthias.fischer@ipfire.org Thu Jul  5 17:57:30 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: [squid-announce] Squid 4.1 is available]
Date: Thu, 05 Jul 2018 18:57:48 +0200
Message-ID: <5c4e914b-59e3-7600-e992-fd1f113a492d@ipfire.org>
In-Reply-To: <51c9b839bbe41426c9f84bda2d9e9343d9ec4d28.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8053233594964851920=="

--===============8053233594964851920==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On 04.07.2018 11:12, Michael Tremer wrote:
> Squid 4.1 has been released.
>=20
> @Matthias: As far as I remember, you have been working on updating squid be=
fore.
> Will you have a look at this?

If someone wants to test:

=3D>
https://git.ipfire.org/?p=3Dpeople/mfischer/ipfire-2.x.git;a=3Dcommit;h=3D020=
9249016760ed428c7bd22262f88c20cc5034b

Its running here. As I wrote: no warnings anymore, 'squid -k parse' is
clean now.

Best,
Matthias

--===============8053233594964851920==--


From erik.kapfer@ipfire.org Fri Jul  6 04:58:02 2018
From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 [PATCH] OpenVPN: Deleted mtu-disc completely since it has been dropped.
Date: Fri, 06 Jul 2018 05:57:59 +0200
Message-ID: <1530849479-13169-1-git-send-email-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7169923988279405039=="

--===============7169923988279405039==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index f06e7cf..976300f 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -271,7 +271,7 @@ sub writeserverconf {
     print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
     #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{=
'GREEN_NETMASK'}\"\n";
=20
-    # Check if we are using mssfix, fragment or mtu-disc and set the corretc=
t mtu of 1500.
+    # Check if we are using mssfix, fragment and set the corretct mtu of 150=
0.
     # If we doesn't use one of them, we can use the configured mtu value.
     if ($sovpnsettings{'MSSFIX'} eq 'on')=20
 	{ print CONF "tun-mtu 1500\n"; }
@@ -2183,15 +2183,6 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
    if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment=
 $confighash{$cgiparams{'KEY'}}[24]\n";}
    if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix=
\n";}
    }
-   if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') ||
-       ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') ||
-       ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) {
-	if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') || ($confighash{$cgiparams=
{'KEY'}}[24] eq '')) {
-		if ($tunmtu eq '1500' ) {
-			print CLIENTCONF "mtu-disc $confighash{$cgiparams{'KEY'}}[38]\n";
-		}
-	}
-   }
    # Check host certificate if X509 is RFC3280 compliant.
    # If not, old --ns-cert-type directive will be used.
    # If appropriate key usage extension exists, new --remote-cert-tls direct=
ive will be used.
@@ -2272,7 +2263,7 @@ else
     print CLIENTCONF "dev tun\r\n";
     print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
=20
-    # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500
+    # Check if we are using fragment, mssfix and set MTU to 1500
     # or use configured value.
     if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
 	{ print CLIENTCONF "tun-mtu 1500\r\n"; }
@@ -3378,7 +3369,6 @@ my $complzoactive;
 my $mssfixactive;
 my $authactive;
 my $n2nfragment;
-my @n2nmtudisc =3D split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);
 my @n2nproto2 =3D split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
 my @n2nproto =3D split(/-/, $n2nproto2[1]);
 my @n2nport =3D split(/ /, (grep { /^port/ } @firen2nconf)[0]);
@@ -3414,7 +3404,6 @@ $n2nremsub[2] =3D~ s/\n|\r//g;
 $n2nlocalsub[2] =3D~ s/\n|\r//g;
 $n2nfragment[1] =3D~ s/\n|\r//g;
 $n2nmgmt[2] =3D~ s/\n|\r//g;
-$n2nmtudisc[1] =3D~ s/\n|\r//g;
 $n2ncipher[1] =3D~ s/\n|\r//g;
 $n2nauth[1] =3D~ s/\n|\r//g;
 chomp ($complzoactive);
@@ -3491,7 +3480,6 @@ foreach my $dkey (keys %confighash) {
 	$confighash{$key}[29] =3D $n2nport[1];
 	$confighash{$key}[30] =3D $complzoactive;
 	$confighash{$key}[31] =3D $n2ntunmtu[1];
-	$confighash{$key}[38] =3D $n2nmtudisc[1];
 	$confighash{$key}[39] =3D $n2nauth[1];
 	$confighash{$key}[40] =3D $n2ncipher[1];
 	$confighash{$key}[41] =3D 'disabled';
@@ -3531,7 +3519,6 @@ foreach my $dkey (keys %confighash) {
 		<tr><td class=3D'boldbase' nowrap=3D'nowrap'>MSSFIX:</td><td><b>$confighas=
h{$key}[23]</b></td></tr>
 		<tr><td class=3D'boldbase' nowrap=3D'nowrap'>Fragment:</td><td><b>$configh=
ash{$key}[24]</b></td></tr>
 		<tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'MTU'}</td><td><b>$=
confighash{$key}[31]</b></td></tr>
-		<tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'ovpn mtu-disc'}</t=
d><td><b>$confighash{$key}[38]</b></td></tr>
 		<tr><td class=3D'boldbase' nowrap=3D'nowrap'>Management Port </td><td><b>$=
confighash{$key}[22]</b></td></tr>
 		<tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'ovpn hmac'}:</td><=
td><b>$confighash{$key}[39]</b></td></tr>
 		<tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'cipher'}</td><td><=
b>$confighash{$key}[40]</b></td></tr>
--=20
2.7.4


--===============7169923988279405039==--


From natnaree.asavaseri.mt9@is.naist.jp Mon Jul  9 05:19:26 2018
From: Asavaseri Natnaree <natnaree.asavaseri.mt9@is.naist.jp>
To: development@lists.ipfire.org
Subject: Research survey: Impact of Microsoft Acquisition of GitHub
Date: Mon, 09 Jul 2018 13:19:15 +0900
Message-ID: <6f20e79d252cf.5b4360d3@naist.jp>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8930979399452344524=="

--===============8930979399452344524==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Dear IPFire developers,=C2=A0

I am Natnaree Asavaseri and currently undertaking a research internship at Na=
ra Institute of Science and Technology, Japan. Note that we are not biased to=
 either GitHub or Microsoft, and this is purely from an empirical research pe=
rspective.=C2=A0

As a part of my research in the field of Software Engineering (SE), my profes=
sors and I are analyzing the impact of Microsoft's acquisition of GitHub. The=
 main purpose of my survey is understanding how developers perceive the Micro=
soft's acquisition of GitHub, especially from contributors to Linux distribut=
ions and BSD families. If the survey is successful, we will publish our findi=
ngs at SE academic venues (journals or conference).

So please consider voicing your opinion by allowing us up to 5 minutes to com=
plete my short survey.=C2=A0

https://goo.gl/forms/lbIL5qsinDRQyTaK2=C2=A0

We would like to remind you that participation in this survey is completely v=
oluntary and your identity is hidden for anonymity. Thank you for your time i=
n advance.=C2=A0

Best regards,=C2=A0

Natnaree (cc Shade, Raula, Hideaki)
Nara Institute of Science and Technology, Japan


--===============8930979399452344524==--


From matthias.fischer@ipfire.org Mon Jul  9 19:53:50 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] clamav: Update to 0.100.1
Date: Mon, 09 Jul 2018 20:53:45 +0200
Message-ID: <20180709185345.24093-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6028575659633993079=="

--===============6028575659633993079==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

For details see:
https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 lfs/clamav | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lfs/clamav b/lfs/clamav
index 7623801fb..c0612f1aa 100644
--- a/lfs/clamav
+++ b/lfs/clamav
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 0.100.0
+VER        = 0.100.1
 
 THISAPP    = clamav-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = clamav
-PAK_VER    = 38
+PAK_VER    = 39
 
 DEPS       = ""
 
@@ -48,7 +48,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 93e8efb489c2afdfca73703b76c24e01
+$(DL_FILE)_MD5 = 0f653df0480eebcd828939e8db9f0443
 
 install : $(TARGET)
 
-- 
2.18.0


--===============6028575659633993079==--


From blais.julien.30@gmail.com Mon Jul  9 21:07:55 2018
From: jbsky <blais.julien.30@gmail.com>
To: development@lists.ipfire.org
Subject: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
Date: Mon, 09 Jul 2018 22:07:31 +0200
Message-ID: <20180709200731.28762-1-blais.julien.30@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5050661039731646422=="

--===============5050661039731646422==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Added xauthrsasig option instead of cert in /var/ipfire/vpn/config.
By replacing cert with xauth in the 5th place option, the vpn connection is c=
onfigured to support xauthrsasig, ikev1 is also to be changed manually in the=
 file.
---
 html/cgi-bin/vpnmain.cgi | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 378acb326..a5c50dbda 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -304,7 +304,7 @@ sub writeipsecfiles {
 		}
=20
 		# Local Cert and Remote Cert (unless auth is DN dn-auth)
-		if ($lconfighash{$key}[4] eq 'cert') {
+		if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4] eq 'xauthrsa=
sig')) {
 			print CONF "\tleftcert=3D${General::swroot}/certs/hostcert.pem\n";
 			print CONF "\trightcert=3D${General::swroot}/certs/$lconfighash{$key}[1]c=
ert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn');
 		}
@@ -408,7 +408,12 @@ sub writeipsecfiles {
 				print SECRETS $psk_line;
 			}
 			print CONF "\tauthby=3Dsecret\n";
-		} else {
+		}
+		elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {
+			print CONF "\tauthby=3Dxauthrsasig\n";
+			print CONF "\txauth=3Dserver\n";
+		}=20
+		else {
 			print CONF "\tauthby=3Drsasig\n";
 			print CONF "\tleftrsasigkey=3D%cert\n";
 			print CONF "\trightrsasigkey=3D%cert\n";
@@ -2841,7 +2846,7 @@ END
 	print "<td align=3D'center' nowrap=3D'nowrap' $col>" . $Lang::tr{"$configha=
sh{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$ke=
y}[29]</td>";
 	if ($confighash{$key}[2] eq '%auth-dn') {
 		print "<td align=3D'left' nowrap=3D'nowrap' $col>$confighash{$key}[9]</td>=
";
-	} elsif ($confighash{$key}[4] eq 'cert') {
+	} elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq 'xauthr=
sasig')) {
 		print "<td align=3D'left' nowrap=3D'nowrap' $col>$confighash{$key}[2]</td>=
";
 	} else {
 		print "<td align=3D'left' $col>&nbsp;</td>";
@@ -2893,7 +2898,7 @@ END
 	} else {
 		print "<td width=3D'2%' $col>&nbsp;</td>";
 	}
-	if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$configh=
ash{$key}[1].p12") {
+	if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq 'xauthrsasi=
g')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
 		print <<END
 		<td align=3D'center' $col>
 		<form method=3D'post' action=3D'$ENV{'SCRIPT_NAME'}'>
@@ -2904,7 +2909,7 @@ END
 	</td>
 END
 ;
-	} elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%aut=
h-dn')) {
+	} elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%au=
th-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') && ($confighash{$key}[2] n=
e '%auth-dn'))) {
 		print <<END
 		<td align=3D'center' $col>
 		<form method=3D'post' action=3D'$ENV{'SCRIPT_NAME'}'>
--=20
2.12.2


--===============5050661039731646422==--


From blais.julien.30@gmail.com Mon Jul  9 21:08:04 2018
From: jbsky <blais.julien.30@gmail.com>
To: development@lists.ipfire.org
Subject: [PATCH 2/2] Modified file : html/cgi-bin/connections.cgi
Date: Mon, 09 Jul 2018 22:07:40 +0200
Message-ID: <20180709200740.28846-1-blais.julien.30@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4836031102683895891=="

--===============4836031102683895891==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Add IPSec network in vpn color code.
---
 html/cgi-bin/connections.cgi | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/html/cgi-bin/connections.cgi b/html/cgi-bin/connections.cgi
index e9e9e335c..0e3680d20 100644
--- a/html/cgi-bin/connections.cgi
+++ b/html/cgi-bin/connections.cgi
@@ -256,6 +256,15 @@ if (-e "${General::swroot}/ovpn/ccd.conf") {
 	}
 }
 
+#Add IPSec net
+
+my %ipsecsettings=();
+&General::readhash("${General::swroot}/vpn/settings", \%ipsecsettings);
+my ($network, $mask) = split("/", $ipsecsettings{'RW_NET'});
+push(@network, $network);
+push(@masklen, $mask);
+push(@colour, ${Header::colourvpn
+
 open(IPSEC, "${General::swroot}/vpn/config");
 my @ipsec = <IPSEC>;
 close(IPSEC);
-- 
2.12.2


--===============4836031102683895891==--


From michael.tremer@ipfire.org Tue Jul 10 18:38:20 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] clamav: Update to 0.100.1
Date: Tue, 10 Jul 2018 18:38:19 +0100
Message-ID: <37551fdd1a10ab17e3ae61135d29341dcf451b1d.camel@ipfire.org>
In-Reply-To: <20180709185345.24093-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5570103847735124761=="

--===============5570103847735124761==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Thanks. Merged.

There is a ton of CVEs in there...

-Michael

On Mon, 2018-07-09 at 20:53 +0200, Matthias Fischer wrote:
> For details see:
> https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html
> 
> Best,
> Matthias
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>  lfs/clamav | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/lfs/clamav b/lfs/clamav
> index 7623801fb..c0612f1aa 100644
> --- a/lfs/clamav
> +++ b/lfs/clamav
> @@ -24,7 +24,7 @@
>  
>  include Config
>  
> -VER        = 0.100.0
> +VER        = 0.100.1
>  
>  THISAPP    = clamav-$(VER)
>  DL_FILE    = $(THISAPP).tar.gz
> @@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
>  DIR_APP    = $(DIR_SRC)/$(THISAPP)
>  TARGET     = $(DIR_INFO)/$(THISAPP)
>  PROG       = clamav
> -PAK_VER    = 38
> +PAK_VER    = 39
>  
>  DEPS       = ""
>  
> @@ -48,7 +48,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_MD5 = 93e8efb489c2afdfca73703b76c24e01
> +$(DL_FILE)_MD5 = 0f653df0480eebcd828939e8db9f0443
>  
>  install : $(TARGET)
>  

--===============5570103847735124761==--


From michael.tremer@ipfire.org Tue Jul 10 18:41:03 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] OpenVPN: Deleted mtu-disc completely since it has been dropped.
Date: Tue, 10 Jul 2018 18:41:02 +0100
Message-ID: <c33464af8f4da7458e896263c3aa54d7d1a2d807.camel@ipfire.org>
In-Reply-To: <1530849479-13169-1-git-send-email-erik.kapfer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6553141884500749717=="

--===============6553141884500749717==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Merged.

On Fri, 2018-07-06 at 05:57 +0200, Erik Kapfer wrote:
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
>  html/cgi-bin/ovpnmain.cgi | 17 ++---------------
>  1 file changed, 2 insertions(+), 15 deletions(-)
>=20
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index f06e7cf..976300f 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -271,7 +271,7 @@ sub writeserverconf {
>      print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
>      #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'}
> $netsettings{'GREEN_NETMASK'}\"\n";
> =20
> -    # Check if we are using mssfix, fragment or mtu-disc and set the corre=
tct
> mtu of 1500.
> +    # Check if we are using mssfix, fragment and set the corretct mtu of
> 1500.
>      # If we doesn't use one of them, we can use the configured mtu value.
>      if ($sovpnsettings{'MSSFIX'} eq 'on')=20
>  	{ print CONF "tun-mtu 1500\n"; }
> @@ -2183,15 +2183,6 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
>     if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragme=
nt
> $confighash{$cgiparams{'KEY'}}[24]\n";}
>     if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF
> "mssfix\n";}
>     }
> -   if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') ||
> -       ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') ||
> -       ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) {
> -	if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') ||
> ($confighash{$cgiparams{'KEY'}}[24] eq '')) {
> -		if ($tunmtu eq '1500' ) {
> -			print CLIENTCONF "mtu-disc
> $confighash{$cgiparams{'KEY'}}[38]\n";
> -		}
> -	}
> -   }
>     # Check host certificate if X509 is RFC3280 compliant.
>     # If not, old --ns-cert-type directive will be used.
>     # If appropriate key usage extension exists, new --remote-cert-tls
> directive will be used.
> @@ -2272,7 +2263,7 @@ else
>      print CLIENTCONF "dev tun\r\n";
>      print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
> =20
> -    # Check if we are using fragment, mssfix or mtu-disc and set MTU to 15=
00
> +    # Check if we are using fragment, mssfix and set MTU to 1500
>      # or use configured value.
>      if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' )
>  	{ print CLIENTCONF "tun-mtu 1500\r\n"; }
> @@ -3378,7 +3369,6 @@ my $complzoactive;
>  my $mssfixactive;
>  my $authactive;
>  my $n2nfragment;
> -my @n2nmtudisc =3D split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);
>  my @n2nproto2 =3D split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
>  my @n2nproto =3D split(/-/, $n2nproto2[1]);
>  my @n2nport =3D split(/ /, (grep { /^port/ } @firen2nconf)[0]);
> @@ -3414,7 +3404,6 @@ $n2nremsub[2] =3D~ s/\n|\r//g;
>  $n2nlocalsub[2] =3D~ s/\n|\r//g;
>  $n2nfragment[1] =3D~ s/\n|\r//g;
>  $n2nmgmt[2] =3D~ s/\n|\r//g;
> -$n2nmtudisc[1] =3D~ s/\n|\r//g;
>  $n2ncipher[1] =3D~ s/\n|\r//g;
>  $n2nauth[1] =3D~ s/\n|\r//g;
>  chomp ($complzoactive);
> @@ -3491,7 +3480,6 @@ foreach my $dkey (keys %confighash) {
>  	$confighash{$key}[29] =3D $n2nport[1];
>  	$confighash{$key}[30] =3D $complzoactive;
>  	$confighash{$key}[31] =3D $n2ntunmtu[1];
> -	$confighash{$key}[38] =3D $n2nmtudisc[1];
>  	$confighash{$key}[39] =3D $n2nauth[1];
>  	$confighash{$key}[40] =3D $n2ncipher[1];
>  	$confighash{$key}[41] =3D 'disabled';
> @@ -3531,7 +3519,6 @@ foreach my $dkey (keys %confighash) {
>  		<tr><td class=3D'boldbase'
> nowrap=3D'nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
>  		<tr><td class=3D'boldbase'
> nowrap=3D'nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
>  		<tr><td class=3D'boldbase'
> nowrap=3D'nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td=
></tr
> >
> -		<tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'ovpn mtu-
> disc'}</td><td><b>$confighash{$key}[38]</b></td></tr>
>  		<tr><td class=3D'boldbase' nowrap=3D'nowrap'>Management Port
> </td><td><b>$confighash{$key}[22]</b></td></tr>
>  		<tr><td class=3D'boldbase' nowrap=3D'nowrap'>$Lang::tr{'ovpn
> hmac'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
>  		<tr><td class=3D'boldbase'
> nowrap=3D'nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b><=
/td><
> /tr>

--===============6553141884500749717==--


From michael.tremer@ipfire.org Tue Jul 10 18:42:39 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
Date: Tue, 10 Jul 2018 18:42:38 +0100
Message-ID: <4f2dd787847ba9181f7e7a68933b5bb733091230.camel@ipfire.org>
In-Reply-To: <20180709200731.28762-1-blais.julien.30@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2577437877710816830=="

--===============2577437877710816830==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Julien?!,

thanks for submitting this patch.

Could you go into more detail about what this patch is doing and why you need
it?

Best,
-Michael

On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote:
> Added xauthrsasig option instead of cert in /var/ipfire/vpn/config.
> By replacing cert with xauth in the 5th place option, the vpn connection is
> configured to support xauthrsasig, ikev1 is also to be changed manually in =
the
> file.
> ---
>  html/cgi-bin/vpnmain.cgi | 15 ++++++++++-----
>  1 file changed, 10 insertions(+), 5 deletions(-)
>=20
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 378acb326..a5c50dbda 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -304,7 +304,7 @@ sub writeipsecfiles {
>  		}
> =20
>  		# Local Cert and Remote Cert (unless auth is DN dn-auth)
> -		if ($lconfighash{$key}[4] eq 'cert') {
> +		if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[4]
> eq 'xauthrsasig')) {
>  			print CONF
> "\tleftcert=3D${General::swroot}/certs/hostcert.pem\n";
>  			print CONF
> "\trightcert=3D${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if
> ($lconfighash{$key}[2] ne '%auth-dn');
>  		}
> @@ -408,7 +408,12 @@ sub writeipsecfiles {
>  				print SECRETS $psk_line;
>  			}
>  			print CONF "\tauthby=3Dsecret\n";
> -		} else {
> +		}
> +		elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {
> +			print CONF "\tauthby=3Dxauthrsasig\n";
> +			print CONF "\txauth=3Dserver\n";
> +		}=20
> +		else {
>  			print CONF "\tauthby=3Drsasig\n";
>  			print CONF "\tleftrsasigkey=3D%cert\n";
>  			print CONF "\trightrsasigkey=3D%cert\n";
> @@ -2841,7 +2846,7 @@ END
>  	print "<td align=3D'center' nowrap=3D'nowrap' $col>" .
> $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"=
} .
> ") $confighash{$key}[29]</td>";
>  	if ($confighash{$key}[2] eq '%auth-dn') {
>  		print "<td align=3D'left' nowrap=3D'nowrap'
> $col>$confighash{$key}[9]</td>";
> -	} elsif ($confighash{$key}[4] eq 'cert') {
> +	} elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
> 'xauthrsasig')) {
>  		print "<td align=3D'left' nowrap=3D'nowrap'
> $col>$confighash{$key}[2]</td>";
>  	} else {
>  		print "<td align=3D'left' $col>&nbsp;</td>";
> @@ -2893,7 +2898,7 @@ END
>  	} else {
>  		print "<td width=3D'2%' $col>&nbsp;</td>";
>  	}
> -	if ($confighash{$key}[4] eq 'cert' && -f
> "${General::swroot}/certs/$confighash{$key}[1].p12") {
> +	if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
> 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12") {
>  		print <<END
>  		<td align=3D'center' $col>
>  		<form method=3D'post' action=3D'$ENV{'SCRIPT_NAME'}'>
> @@ -2904,7 +2909,7 @@ END
>  	</td>
>  END
>  ;
> -	} elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne
> '%auth-dn')) {
> +	} elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]
> ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') &&
> ($confighash{$key}[2] ne '%auth-dn'))) {
>  		print <<END
>  		<td align=3D'center' $col>
>  		<form method=3D'post' action=3D'$ENV{'SCRIPT_NAME'}'>

--===============2577437877710816830==--


From stefan.schantl@ipfire.org Tue Jul 10 19:04:56 2018
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] Fix hook for static address configuration.
Date: Tue, 10 Jul 2018 20:04:51 +0200
Message-ID: <20180710180451.4001-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7787429683218075720=="

--===============7787429683218075720==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Add the required hook_new function and "id" information which have been
introduced in earlier commits to make this hook work again.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 src/hooks/configs/static | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/hooks/configs/static b/src/hooks/configs/static
index 91bba8a..37f3d32 100644
--- a/src/hooks/configs/static
+++ b/src/hooks/configs/static
@@ -52,6 +52,8 @@ hook_check_config_settings() {
=20
 hook_parse_cmdline() {
 	local protocol
+	local id=3D"${1}"
+	shift
=20
 	while [ $# -gt 0 ]; do
 		case "${1}" in
@@ -153,12 +155,34 @@ hook_parse_cmdline() {
 	fi
=20
 	# Check any conflicts
-	if zone_config_check_same_setting "${zone}" "static" "ADDRESS" "${ADDRESS}"=
; then
+	if zone_config_check_same_setting "${zone}" "static" "${id}" "ADDRESS" "${A=
DDRESS}"; then
 		error "A static configuration with the same address is already configured"
 		return ${EXIT_CONF_ERROR}
 	fi
 }
=20
+hook_new() {
+	local zone=3D"${1}"
+	shift
+
+	if zone_config_hook_is_configured ${zone} "static"; then
+		log ERROR "You can configure the static hook only once for a zone"
+		return ${EXIT_ERROR}
+	fi
+
+	local id=3D$(zone_config_get_new_id ${zone})
+	log DEBUG "ID for the config is: ${id}"
+
+	if ! hook_parse_cmdline "${id}" "$@"; then
+		# Return an error if the parsing of the cmd line fails
+		return ${EXIT_ERROR}
+	fi
+
+	zone_config_settings_write "${zone}" "${HOOK}" "${id}"
+
+	exit ${EXIT_OK}
+}
+
 hook_up() {
 	local zone=3D"${1}"
 	local config=3D"${2}"
--=20
2.17.1


--===============7787429683218075720==--


From blais.julien.30@gmail.com Tue Jul 10 19:07:49 2018
From: Julien Blais <blais.julien.30@gmail.com>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
Date: Tue, 10 Jul 2018 20:07:46 +0200
Message-ID:
 <CAP6ncskL8qFApLXavVfseB_mv=7m6Z9kUyfrri4_dZKa4AqPWQ@mail.gmail.com>
In-Reply-To: <4f2dd787847ba9181f7e7a68933b5bb733091230.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6351001077494035206=="

--===============6351001077494035206==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Michael,


For it to work, you simply need to generate a Roadwarrior connection per
certificate. Then, change what is red, either replace cert by xauthrsasiget
put ikev1 instead of ikev2.

[root(a)ipfire ~]# cat /var/ipfire/vpn/config
2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,
192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|=
768,aes256,sha2_512,1024|768|none,on,,,clear,on
,ikev1,120,30,off,start,900

Here is the result in the file :

conn Xiaomi
        left=3Dvpn.jbsky.fr
        leftsubnet=3D192.168.0.0/24
        leftfirewall=3Dyes
        lefthostaccess=3Dyes
        right=3D%any
        leftcert=3D/var/ipfire/certs/hostcert.pem
        rightcert=3D/var/ipfire/certs/Xiaomicert.pem
        ike=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768!

esp=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
        keyexchange=3Dikev1
        ikelifetime=3D3h
        keylife=3D1h
        dpdaction=3Dclear
        dpddelay=3D30
        dpdtimeout=3D120
        authby=3Dxauthrsasig
        xauth=3Dserver
        auto=3Dadd
        rightsourceip=3D10.0.10.0/29
        fragmentation=3Dyes

Why this patch? it allows to have a functional visual on VPN connections in
the vpnmain.cgi page. Everything that is IOS or Android works with Xauth,
you do not support this type of device.

2018-07-10 19:42 GMT+02:00 Michael Tremer <michael.tremer(a)ipfire.org>:

> Hello Julien?!,
>
> thanks for submitting this patch.
>
> Could you go into more detail about what this patch is doing and why you
> need
> it?
>
> Best,
> -Michael
>
> On Mon, 2018-07-09 at 22:07 +0200, jbsky wrote:
> > Added xauthrsasig option instead of cert in /var/ipfire/vpn/config.
> > By replacing cert with xauth in the 5th place option, the vpn connection
> is
> > configured to support xauthrsasig, ikev1 is also to be changed manually
> in the
> > file.
> > ---
> >  html/cgi-bin/vpnmain.cgi | 15 ++++++++++-----
> >  1 file changed, 10 insertions(+), 5 deletions(-)
> >
> > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> > index 378acb326..a5c50dbda 100644
> > --- a/html/cgi-bin/vpnmain.cgi
> > +++ b/html/cgi-bin/vpnmain.cgi
> > @@ -304,7 +304,7 @@ sub writeipsecfiles {
> >               }
> >
> >               # Local Cert and Remote Cert (unless auth is DN dn-auth)
> > -             if ($lconfighash{$key}[4] eq 'cert') {
> > +             if (($lconfighash{$key}[4] eq 'cert')||($lconfighash{$key}[
> 4]
> > eq 'xauthrsasig')) {
> >                       print CONF
> > "\tleftcert=3D${General::swroot}/certs/hostcert.pem\n";
> >                       print CONF
> > "\trightcert=3D${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n"
> if
> > ($lconfighash{$key}[2] ne '%auth-dn');
> >               }
> > @@ -408,7 +408,12 @@ sub writeipsecfiles {
> >                               print SECRETS $psk_line;
> >                       }
> >                       print CONF "\tauthby=3Dsecret\n";
> > -             } else {
> > +             }
> > +             elsif ($lconfighash{$key}[4] eq 'xauthrsasig') {
> > +                     print CONF "\tauthby=3Dxauthrsasig\n";
> > +                     print CONF "\txauth=3Dserver\n";
> > +             }
> > +             else {
> >                       print CONF "\tauthby=3Drsasig\n";
> >                       print CONF "\tleftrsasigkey=3D%cert\n";
> >                       print CONF "\trightrsasigkey=3D%cert\n";
> > @@ -2841,7 +2846,7 @@ END
> >       print "<td align=3D'center' nowrap=3D'nowrap' $col>" .
> > $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4=
]"}
> .
> > ") $confighash{$key}[29]</td>";
> >       if ($confighash{$key}[2] eq '%auth-dn') {
> >               print "<td align=3D'left' nowrap=3D'nowrap'
> > $col>$confighash{$key}[9]</td>";
> > -     } elsif ($confighash{$key}[4] eq 'cert') {
> > +     } elsif (($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
> > 'xauthrsasig')) {
> >               print "<td align=3D'left' nowrap=3D'nowrap'
> > $col>$confighash{$key}[2]</td>";
> >       } else {
> >               print "<td align=3D'left' $col>&nbsp;</td>";
> > @@ -2893,7 +2898,7 @@ END
> >       } else {
> >               print "<td width=3D'2%' $col>&nbsp;</td>";
> >       }
> > -     if ($confighash{$key}[4] eq 'cert' && -f
> > "${General::swroot}/certs/$confighash{$key}[1].p12") {
> > +     if ((($confighash{$key}[4] eq 'cert')||($confighash{$key}[4] eq
> > 'xauthrsasig')) && -f "${General::swroot}/certs/$confighash{$key}[1].p12")
> {
> >               print <<END
> >               <td align=3D'center' $col>
> >               <form method=3D'post' action=3D'$ENV{'SCRIPT_NAME'}'>
> > @@ -2904,7 +2909,7 @@ END
> >       </td>
> >  END
> >  ;
> > -     } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]
> ne
> > '%auth-dn')) {
> > +     } elsif ((($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2]
> > ne '%auth-dn'))||(($confighash{$key}[4] eq 'xauthrsasig') &&
> > ($confighash{$key}[2] ne '%auth-dn'))) {
> >               print <<END
> >               <td align=3D'center' $col>
> >               <form method=3D'post' action=3D'$ENV{'SCRIPT_NAME'}'>
>



--===============6351001077494035206==
Content-Type: text/html
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"
MIME-Version: 1.0

PGRpdiBkaXI9Imx0ciI+PGRpdj5IaSBNaWNoYWVsLDwvZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+
PGJyPkZvciBpdCB0byB3b3JrLCB5b3Ugc2ltcGx5IG5lZWQgdG8gZ2VuZXJhdGUgYSBSb2Fkd2Fy
cmlvciBjb25uZWN0aW9uIHBlciBjZXJ0aWZpY2F0ZS4gVGhlbiwgY2hhbmdlIHdoYXQgaXMgcmVk
LCBlaXRoZXIgcmVwbGFjZSBjZXJ0IGJ5IHhhdXRocnNhc2lnZXQgcHV0IGlrZXYxIGluc3RlYWQg
b2YgaWtldjIuPC9kaXY+PGRpdj4KPGRpdj48YnI+PC9kaXY+PGRpdj5bcm9vdEBpcGZpcmUgfl0j
IGNhdCAvdmFyL2lwZmlyZS92cG4vY29uZmlnPGJyPjwvZGl2PjxkaXY+MixvbixYaWFvbWksWGlh
b21pLGhvc3QsPHNwYW4gc3R5bGU9ImJhY2tncm91bmQtY29sb3I6cmdiKDI1NSwwLDApIj54YXV0
aHJzYXNpZzwvc3Bhbj4sLG9mZiwsPGEgaHJlZj0iaHR0cDovLzE5Mi4xNjguMTAuMC8yNTUuMjU1
LjI1NS4wLCwsMTAuMC4xMC4wLzI5LG9mZiwsLG9mZiwzLDEsYWVzMjU2LHNoYTJfNTEyLDEwMjR8
NzY4LGFlczI1NixzaGEyXzUxMiwxMDI0fDc2OHxub25lLG9uLCwsY2xlYXIsb24iPjE5Mi4xNjgu
MTAuMC8yNTUuMjU1LjI1NS4wLCwsMTAuMC4xMC4wLzI5LG9mZiwsLG9mZiwzLDEsYWVzMjU2LHNo
YTJfNTEyLDEwMjR8NzY4LGFlczI1NixzaGEyXzUxMiwxMDI0fDc2OHxub25lLG9uLCwsY2xlYXIs
b248L2E+LDxzcGFuIHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOnJnYigyNTUsMCwwKSI+aWtldjE8
L3NwYW4+LDEyMCwzMCxvZmYsc3RhcnQsOTAwPGJyPjwvZGl2PgoKPC9kaXY+PGRpdj48YnI+PC9k
aXY+PGRpdj5IZXJlIGlzIHRoZSByZXN1bHQgaW4gdGhlIGZpbGUgOjwvZGl2PjxkaXY+PGJyPjwv
ZGl2PjxkaXY+Y29ubiBYaWFvbWk8YnI+wqDCoMKgwqDCoMKgwqAgbGVmdD08YSBocmVmPSJodHRw
Oi8vdnBuLmpic2t5LmZyIj52cG4uamJza3kuZnI8L2E+PGJyPsKgwqDCoMKgwqDCoMKgIGxlZnRz
dWJuZXQ9PGEgaHJlZj0iaHR0cDovLzE5Mi4xNjguMC4wLzI0Ij4xOTIuMTY4LjAuMC8yNDwvYT48
YnI+wqDCoMKgwqDCoMKgwqAgbGVmdGZpcmV3YWxsPXllczxicj7CoMKgwqDCoMKgwqDCoCBsZWZ0
aG9zdGFjY2Vzcz15ZXM8YnI+wqDCoMKgwqDCoMKgwqAgcmlnaHQ9JWFueTxicj7CoMKgwqDCoMKg
wqDCoCBsZWZ0Y2VydD0vdmFyL2lwZmlyZS9jZXJ0cy9ob3N0Y2VydC5wZW08YnI+wqDCoMKgwqDC
oMKgwqAgcmlnaHRjZXJ0PS92YXIvaXBmaXJlL2NlcnRzL1hpYW9taWNlcnQucGVtPGJyPsKgwqDC
oMKgwqDCoMKgIGlrZT1hZXMyNTYtc2hhMl81MTItbW9kcDEwMjQsYWVzMjU2LXNoYTJfNTEyLW1v
ZHA3NjghPGJyPsKgwqDCoMKgwqDCoMKgIGVzcD1hZXMyNTYtc2hhMl81MTItbW9kcDEwMjQsYWVz
MjU2LXNoYTJfNTEyLW1vZHA3NjgsYWVzMjU2LXNoYTJfNTEyITxicj7CoMKgwqDCoMKgwqDCoCBr
ZXlleGNoYW5nZT1pa2V2MTxicj7CoMKgwqDCoMKgwqDCoCBpa2VsaWZldGltZT0zaDxicj7CoMKg
wqDCoMKgwqDCoCBrZXlsaWZlPTFoPGJyPsKgwqDCoMKgwqDCoMKgIGRwZGFjdGlvbj1jbGVhcjxi
cj7CoMKgwqDCoMKgwqDCoCBkcGRkZWxheT0zMDxicj7CoMKgwqDCoMKgwqDCoCBkcGR0aW1lb3V0
PTEyMDxicj7CoMKgwqDCoMKgwqDCoCBhdXRoYnk9eGF1dGhyc2FzaWc8YnI+wqDCoMKgwqDCoMKg
wqAgeGF1dGg9c2VydmVyPGJyPsKgwqDCoMKgwqDCoMKgIGF1dG89YWRkPGJyPsKgwqDCoMKgwqDC
oMKgIHJpZ2h0c291cmNlaXA9PGEgaHJlZj0iaHR0cDovLzEwLjAuMTAuMC8yOSI+MTAuMC4xMC4w
LzI5PC9hPjxicj7CoMKgwqDCoMKgwqDCoCBmcmFnbWVudGF0aW9uPXllczxicj48YnI+V2h5IHRo
aXMgcGF0Y2g/IGl0IGFsbG93cyB0byBoYXZlIGEgZnVuY3Rpb25hbCB2aXN1YWwgb24gVlBOIGNv
bm5lY3Rpb25zIGluIHRoZSB2cG5tYWluLmNnaSBwYWdlLiBFdmVyeXRoaW5nIHRoYXQgaXMgSU9T
IG9yIEFuZHJvaWQgd29ya3Mgd2l0aCBYYXV0aCwgeW91IGRvIG5vdCBzdXBwb3J0IHRoaXMgdHlw
ZSBvZiBkZXZpY2UuPGJyPjwvZGl2PjwvZGl2PjxkaXYgY2xhc3M9ImdtYWlsX2V4dHJhIj48YnI+
PGRpdiBjbGFzcz0iZ21haWxfcXVvdGUiPjIwMTgtMDctMTAgMTk6NDIgR01UKzAyOjAwIE1pY2hh
ZWwgVHJlbWVyIDxzcGFuIGRpcj0ibHRyIj4mbHQ7PGEgaHJlZj0ibWFpbHRvOm1pY2hhZWwudHJl
bWVyQGlwZmlyZS5vcmciIHRhcmdldD0iX2JsYW5rIj5taWNoYWVsLnRyZW1lckBpcGZpcmUub3Jn
PC9hPiZndDs8L3NwYW4+Ojxicj48YmxvY2txdW90ZSBjbGFzcz0iZ21haWxfcXVvdGUiIHN0eWxl
PSJtYXJnaW46MCAwIDAgLjhleDtib3JkZXItbGVmdDoxcHggI2NjYyBzb2xpZDtwYWRkaW5nLWxl
ZnQ6MWV4Ij5IZWxsbyBKdWxpZW4/ISw8YnI+Cjxicj4KdGhhbmtzIGZvciBzdWJtaXR0aW5nIHRo
aXMgcGF0Y2guPGJyPgo8YnI+CkNvdWxkIHlvdSBnbyBpbnRvIG1vcmUgZGV0YWlsIGFib3V0IHdo
YXQgdGhpcyBwYXRjaCBpcyBkb2luZyBhbmQgd2h5IHlvdSBuZWVkPGJyPgppdD88YnI+Cjxicj4K
QmVzdCw8YnI+Ci1NaWNoYWVsPGJyPgo8ZGl2IGNsYXNzPSJIT0VuWmIiPjxkaXYgY2xhc3M9Img1
Ij48YnI+Ck9uIE1vbiwgMjAxOC0wNy0wOSBhdCAyMjowNyArMDIwMCwgamJza3kgd3JvdGU6PGJy
PgomZ3Q7IEFkZGVkIHhhdXRocnNhc2lnIG9wdGlvbiBpbnN0ZWFkIG9mIGNlcnQgaW4gL3Zhci9p
cGZpcmUvdnBuL2NvbmZpZy48YnI+CiZndDsgQnkgcmVwbGFjaW5nIGNlcnQgd2l0aCB4YXV0aCBp
biB0aGUgNXRoIHBsYWNlIG9wdGlvbiwgdGhlIHZwbiBjb25uZWN0aW9uIGlzPGJyPgomZ3Q7IGNv
bmZpZ3VyZWQgdG8gc3VwcG9ydCB4YXV0aHJzYXNpZywgaWtldjEgaXMgYWxzbyB0byBiZSBjaGFu
Z2VkIG1hbnVhbGx5IGluIHRoZTxicj4KJmd0OyBmaWxlLjxicj4KJmd0OyAtLS08YnI+CiZndDvC
oCBodG1sL2NnaS1iaW4vdnBubWFpbi5jZ2kgfCAxNSArKysrKysrKysrLS0tLS08YnI+CiZndDvC
oCAxIGZpbGUgY2hhbmdlZCwgMTAgaW5zZXJ0aW9ucygrKSwgNSBkZWxldGlvbnMoLSk8YnI+CiZn
dDsgPGJyPgomZ3Q7IGRpZmYgLS1naXQgYS9odG1sL2NnaS1iaW4vdnBubWFpbi5jZ2kgYi9odG1s
L2NnaS1iaW4vdnBubWFpbi5jZ2k8YnI+CiZndDsgaW5kZXggMzc4YWNiMzI2Li5hNWM1MGRiZGEg
MTAwNjQ0PGJyPgomZ3Q7IC0tLSBhL2h0bWwvY2dpLWJpbi92cG5tYWluLmNnaTxicj4KJmd0OyAr
KysgYi9odG1sL2NnaS1iaW4vdnBubWFpbi5jZ2k8YnI+CiZndDsgQEAgLTMwNCw3ICszMDQsNyBA
QCBzdWIgd3JpdGVpcHNlY2ZpbGVzIHs8YnI+CiZndDvCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoH08
YnI+CiZndDvCoCA8YnI+CiZndDvCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCMgTG9jYWwgQ2VydCBh
bmQgUmVtb3RlIENlcnQgKHVubGVzcyBhdXRoIGlzIEROIGRuLWF1dGgpPGJyPgomZ3Q7IC3CoCDC
oCDCoCDCoCDCoCDCoCDCoGlmICgkbGNvbmZpZ2hhc2h7JGtleX1bNF0gZXEgJiMzOTtjZXJ0JiMz
OTspIHs8YnI+CiZndDsgK8KgIMKgIMKgIMKgIMKgIMKgIMKgaWYgKCgkbGNvbmZpZ2hhc2h7JGtl
eX1bNF0gZXEgJiMzOTtjZXJ0JiMzOTspfHwoJGxjb25maWdoYXNoeyRrZXl9Wzx3YnI+NF08YnI+
CiZndDsgZXEgJiMzOTt4YXV0aHJzYXNpZyYjMzk7KSkgezxicj4KJmd0O8KgIMKgIMKgIMKgIMKg
IMKgIMKgIMKgIMKgIMKgIMKgIMKgcHJpbnQgQ09ORjxicj4KJmd0OyAmcXVvdDtcdGxlZnRjZXJ0
PSR7R2VuZXJhbDo6c3dyb290fTx3YnI+L2NlcnRzL2hvc3RjZXJ0LnBlbVxuJnF1b3Q7Ozxicj4K
Jmd0O8KgIMKgIMKgIMKgIMKgIMKgIMKgIMKgIMKgIMKgIMKgIMKgcHJpbnQgQ09ORjxicj4KJmd0
OyAmcXVvdDtcdHJpZ2h0Y2VydD0ke0dlbmVyYWw6Ojx3YnI+c3dyb290fS9jZXJ0cy8kbGNvbmZp
Z2hhc2h7JDx3YnI+a2V5fVsxXWNlcnQucGVtXG4mcXVvdDsgaWY8YnI+CiZndDsgKCRsY29uZmln
aGFzaHska2V5fVsyXSBuZSAmIzM5OyVhdXRoLWRuJiMzOTspOzxicj4KJmd0O8KgIMKgIMKgIMKg
IMKgIMKgIMKgIMKgfTxicj4KJmd0OyBAQCAtNDA4LDcgKzQwOCwxMiBAQCBzdWIgd3JpdGVpcHNl
Y2ZpbGVzIHs8YnI+CiZndDvCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDC
oCDCoCDCoHByaW50IFNFQ1JFVFMgJHBza19saW5lOzxicj4KJmd0O8KgIMKgIMKgIMKgIMKgIMKg
IMKgIMKgIMKgIMKgIMKgIMKgfTxicj4KJmd0O8KgIMKgIMKgIMKgIMKgIMKgIMKgIMKgIMKgIMKg
IMKgIMKgcHJpbnQgQ09ORiAmcXVvdDtcdGF1dGhieT1zZWNyZXRcbiZxdW90Ozs8YnI+CiZndDsg
LcKgIMKgIMKgIMKgIMKgIMKgIMKgfSBlbHNlIHs8YnI+CiZndDsgK8KgIMKgIMKgIMKgIMKgIMKg
IMKgfTxicj4KJmd0OyArwqAgwqAgwqAgwqAgwqAgwqAgwqBlbHNpZiAoJGxjb25maWdoYXNoeyRr
ZXl9WzRdIGVxICYjMzk7eGF1dGhyc2FzaWcmIzM5Oykgezxicj4KJmd0OyArwqAgwqAgwqAgwqAg
wqAgwqAgwqAgwqAgwqAgwqAgwqBwcmludCBDT05GICZxdW90O1x0YXV0aGJ5PXhhdXRocnNhc2ln
XG4mcXVvdDs7PGJyPgomZ3Q7ICvCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoHByaW50
IENPTkYgJnF1b3Q7XHR4YXV0aD1zZXJ2ZXJcbiZxdW90Ozs8YnI+CiZndDsgK8KgIMKgIMKgIMKg
IMKgIMKgIMKgfSA8YnI+CiZndDsgK8KgIMKgIMKgIMKgIMKgIMKgIMKgZWxzZSB7PGJyPgomZ3Q7
wqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAgwqBwcmludCBDT05GICZxdW90O1x0YXV0
aGJ5PXJzYXNpZ1xuJnF1b3Q7Ozxicj4KJmd0O8KgIMKgIMKgIMKgIMKgIMKgIMKgIMKgIMKgIMKg
IMKgIMKgcHJpbnQgQ09ORiAmcXVvdDtcdGxlZnRyc2FzaWdrZXk9JWNlcnRcbiZxdW90Ozs8YnI+
CiZndDvCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoHByaW50IENPTkYgJnF1b3Q7
XHRyaWdodHJzYXNpZ2tleT0lY2VydFxuJnF1b3Q7Ozxicj4KJmd0OyBAQCAtMjg0MSw3ICsyODQ2
LDcgQEAgRU5EPGJyPgomZ3Q7wqAgwqAgwqAgwqBwcmludCAmcXVvdDsmbHQ7dGQgYWxpZ249JiMz
OTtjZW50ZXImIzM5OyBub3dyYXA9JiMzOTtub3dyYXAmIzM5OyAkY29sJmd0OyZxdW90OyAuPGJy
PgomZ3Q7ICRMYW5nOjp0cnsmcXVvdDskY29uZmlnaGFzaHska2V5fVs8d2JyPjNdJnF1b3Q7fSAu
ICZxdW90OyAoJnF1b3Q7IC4gJExhbmc6OnRyeyZxdW90OyRjb25maWdoYXNoeyRrZXl9Wzx3YnI+
NF0mcXVvdDt9IC48YnI+CiZndDsgJnF1b3Q7KSAkY29uZmlnaGFzaHska2V5fVsyOV0mbHQ7L3Rk
Jmd0OyZxdW90Ozs8YnI+CiZndDvCoCDCoCDCoCDCoGlmICgkY29uZmlnaGFzaHska2V5fVsyXSBl
cSAmIzM5OyVhdXRoLWRuJiMzOTspIHs8YnI+CiZndDvCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoHBy
aW50ICZxdW90OyZsdDt0ZCBhbGlnbj0mIzM5O2xlZnQmIzM5OyBub3dyYXA9JiMzOTtub3dyYXAm
IzM5Ozxicj4KJmd0OyAkY29sJmd0OyRjb25maWdoYXNoeyRrZXl9WzldJmx0Oy90ZCZndDs8d2Jy
PiZxdW90Ozs8YnI+CiZndDsgLcKgIMKgIMKgfSBlbHNpZiAoJGNvbmZpZ2hhc2h7JGtleX1bNF0g
ZXEgJiMzOTtjZXJ0JiMzOTspIHs8YnI+CiZndDsgK8KgIMKgIMKgfSBlbHNpZiAoKCRjb25maWdo
YXNoeyRrZXl9WzRdIGVxICYjMzk7Y2VydCYjMzk7KXx8KCRjb25maWdoYXNoeyRrZXl9WzRdIGVx
PGJyPgomZ3Q7ICYjMzk7eGF1dGhyc2FzaWcmIzM5OykpIHs8YnI+CiZndDvCoCDCoCDCoCDCoCDC
oCDCoCDCoCDCoHByaW50ICZxdW90OyZsdDt0ZCBhbGlnbj0mIzM5O2xlZnQmIzM5OyBub3dyYXA9
JiMzOTtub3dyYXAmIzM5Ozxicj4KJmd0OyAkY29sJmd0OyRjb25maWdoYXNoeyRrZXl9WzJdJmx0
Oy90ZCZndDs8d2JyPiZxdW90Ozs8YnI+CiZndDvCoCDCoCDCoCDCoH0gZWxzZSB7PGJyPgomZ3Q7
wqAgwqAgwqAgwqAgwqAgwqAgwqAgwqBwcmludCAmcXVvdDsmbHQ7dGQgYWxpZ249JiMzOTtsZWZ0
JiMzOTsgJGNvbCZndDsmYW1wO25ic3A7Jmx0Oy90ZCZndDsmcXVvdDs7PGJyPgomZ3Q7IEBAIC0y
ODkzLDcgKzI4OTgsNyBAQCBFTkQ8YnI+CiZndDvCoCDCoCDCoCDCoH0gZWxzZSB7PGJyPgomZ3Q7
wqAgwqAgwqAgwqAgwqAgwqAgwqAgwqBwcmludCAmcXVvdDsmbHQ7dGQgd2lkdGg9JiMzOTsyJSYj
Mzk7ICRjb2wmZ3Q7JmFtcDtuYnNwOyZsdDsvdGQmZ3Q7JnF1b3Q7Ozxicj4KJmd0O8KgIMKgIMKg
IMKgfTxicj4KJmd0OyAtwqAgwqAgwqBpZiAoJGNvbmZpZ2hhc2h7JGtleX1bNF0gZXEgJiMzOTtj
ZXJ0JiMzOTsgJmFtcDsmYW1wOyAtZjxicj4KJmd0OyAmcXVvdDske0dlbmVyYWw6OnN3cm9vdH0v
Y2VydHMvJDx3YnI+Y29uZmlnaGFzaHska2V5fVsxXS5wMTImcXVvdDspIHs8YnI+CiZndDsgK8Kg
IMKgIMKgaWYgKCgoJGNvbmZpZ2hhc2h7JGtleX1bNF0gZXEgJiMzOTtjZXJ0JiMzOTspfHwoJGNv
bmZpZ2hhc2h7JGtleX1bNF0gZXE8YnI+CiZndDsgJiMzOTt4YXV0aHJzYXNpZyYjMzk7KSkgJmFt
cDsmYW1wOyAtZiAmcXVvdDske0dlbmVyYWw6OnN3cm9vdH0vY2VydHMvJDx3YnI+Y29uZmlnaGFz
aHska2V5fVsxXS5wMTImcXVvdDspIHs8YnI+CiZndDvCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoHBy
aW50ICZsdDsmbHQ7RU5EPGJyPgomZ3Q7wqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAmbHQ7dGQgYWxp
Z249JiMzOTtjZW50ZXImIzM5OyAkY29sJmd0Ozxicj4KJmd0O8KgIMKgIMKgIMKgIMKgIMKgIMKg
IMKgJmx0O2Zvcm0gbWV0aG9kPSYjMzk7cG9zdCYjMzk7IGFjdGlvbj0mIzM5OyRFTlZ7JiMzOTtT
Q1JJUFRfTkFNRSYjMzk7fSYjMzk7Jmd0Ozxicj4KJmd0OyBAQCAtMjkwNCw3ICsyOTA5LDcgQEAg
RU5EPGJyPgomZ3Q7wqAgwqAgwqAgwqAmbHQ7L3RkJmd0Ozxicj4KJmd0O8KgIEVORDxicj4KJmd0
O8KgIDs8YnI+CiZndDsgLcKgIMKgIMKgfSBlbHNpZiAoKCRjb25maWdoYXNoeyRrZXl9WzRdIGVx
ICYjMzk7Y2VydCYjMzk7KSAmYW1wOyZhbXA7ICgkY29uZmlnaGFzaHska2V5fVsyXSBuZTxicj4K
Jmd0OyAmIzM5OyVhdXRoLWRuJiMzOTspKSB7PGJyPgomZ3Q7ICvCoCDCoCDCoH0gZWxzaWYgKCgo
JGNvbmZpZ2hhc2h7JGtleX1bNF0gZXEgJiMzOTtjZXJ0JiMzOTspICZhbXA7JmFtcDsgKCRjb25m
aWdoYXNoeyRrZXl9WzJdPGJyPgomZ3Q7IG5lICYjMzk7JWF1dGgtZG4mIzM5OykpfHwoKCRjb25m
aWdoYXNoeyQ8d2JyPmtleX1bNF0gZXEgJiMzOTt4YXV0aHJzYXNpZyYjMzk7KSAmYW1wOyZhbXA7
PGJyPgomZ3Q7ICgkY29uZmlnaGFzaHska2V5fVsyXSBuZSAmIzM5OyVhdXRoLWRuJiMzOTspKSkg
ezxicj4KJmd0O8KgIMKgIMKgIMKgIMKgIMKgIMKgIMKgcHJpbnQgJmx0OyZsdDtFTkQ8YnI+CiZn
dDvCoCDCoCDCoCDCoCDCoCDCoCDCoCDCoCZsdDt0ZCBhbGlnbj0mIzM5O2NlbnRlciYjMzk7ICRj
b2wmZ3Q7PGJyPgomZ3Q7wqAgwqAgwqAgwqAgwqAgwqAgwqAgwqAmbHQ7Zm9ybSBtZXRob2Q9JiMz
OTtwb3N0JiMzOTsgYWN0aW9uPSYjMzk7JEVOVnsmIzM5O1NDUklQVF9OQU1FJiMzOTt9JiMzOTsm
Z3Q7PGJyPgo8L2Rpdj48L2Rpdj48L2Jsb2NrcXVvdGU+PC9kaXY+PGJyPjwvZGl2Pgo=

--===============6351001077494035206==--


From trymes@rymes.com Tue Jul 10 19:11:45 2018
From: Tom Rymes <trymes@rymes.com>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
Date: Tue, 10 Jul 2018 14:11:47 -0400
Message-ID: <06b43974-8e19-8194-b376-03ebc0f797b5@rymes.com>
In-Reply-To:
 <CAP6ncskL8qFApLXavVfseB_mv=7m6Z9kUyfrri4_dZKa4AqPWQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3950391697094560549=="

--===============3950391697094560549==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,=20
don't they?

Tom

On 07/10/2018 2:07 PM, Julien Blais wrote:
> Hi Michael,
>=20
>=20
> For it to work, you simply need to generate a Roadwarrior connection per=20
> certificate. Then, change what is red, either replace cert by=20
> xauthrsasiget put ikev1 instead of ikev2.
>=20
> [root(a)ipfire ~]# cat /var/ipfire/vpn/config
> 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10.0=
.10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|none=
,on,,,clear,on=20
> <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2=
_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,120,30=
,off,start,900
>=20
> Here is the result in the file :
>=20
> conn Xiaomi
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 left=3Dvpn.jbsky.fr <http://vpn=
.jbsky.fr>
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 leftsubnet=3D192.168.0.0/24 <ht=
tp://192.168.0.0/24>
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 leftfirewall=3Dyes
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 lefthostaccess=3Dyes
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 right=3D%any
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 leftcert=3D/var/ipfire/certs/ho=
stcert.pem
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 rightcert=3D/var/ipfire/certs/X=
iaomicert.pem
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ike=3Daes256-sha2_512-modp1024,=
aes256-sha2_512-modp768!
>         =20
> esp=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 keyexchange=3Dikev1
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ikelifetime=3D3h
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 keylife=3D1h
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dpdaction=3Dclear
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dpddelay=3D30
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 dpdtimeout=3D120
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 authby=3Dxauthrsasig
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 xauth=3Dserver
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 auto=3Dadd
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 rightsourceip=3D10.0.10.0/29 <h=
ttp://10.0.10.0/29>
>  =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 fragmentation=3Dyes
>=20
> Why this patch? it allows to have a functional visual on VPN connections=20
> in the vpnmain.cgi page. Everything that is IOS or Android works with=20
> Xauth, you do not support this type of device.




--===============3950391697094560549==--


From blais.julien.30@gmail.com Tue Jul 10 19:17:27 2018
From: Julien Blais <blais.julien.30@gmail.com>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
Date: Tue, 10 Jul 2018 20:17:15 +0200
Message-ID:
 <CAP6ncsnpm30AVsfVE2ywCYQsWu-qjuqASC64Y2eZ+Nq7++V6Dg@mail.gmail.com>
In-Reply-To: <06b43974-8e19-8194-b376-03ebc0f797b5@rymes.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4588696480614157719=="

--===============4588696480614157719==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

I present what I know that works. Since I haven't tested, but if you say
so, it's to be tested. I was forgetting, of course, xauth needs a
login/password pair to declare in ipsec.user.secret.

Le mar. 10 juil. 2018 =C3=A0 20:11, Tom Rymes <trymes(a)rymes.com> a =C3=A9cr=
it :

> If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,
> don't they?
>
> Tom
>
> On 07/10/2018 2:07 PM, Julien Blais wrote:
> > Hi Michael,
> >
> >
> > For it to work, you simply need to generate a Roadwarrior connection per
> > certificate. Then, change what is red, either replace cert by
> > xauthrsasiget put ikev1 instead of ikev2.
> >
> > [root(a)ipfire ~]# cat /var/ipfire/vpn/config
> > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,
> 192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_512,102=
4|768,aes256,sha2_512,1024|768|none,on,,,clear,on
> <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2=
_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>
> > <
> http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,sha2_=
512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on
> >,ikev1,120,30,off,start,900
> >
> > Here is the result in the file :
> >
> > conn Xiaomi
> >          left=3Dvpn.jbsky.fr <http://vpn.jbsky.fr>
> >          leftsubnet=3D192.168.0.0/24 <http://192.168.0.0/24>
> >          leftfirewall=3Dyes
> >          lefthostaccess=3Dyes
> >          right=3D%any
> >          leftcert=3D/var/ipfire/certs/hostcert.pem
> >          rightcert=3D/var/ipfire/certs/Xiaomicert.pem
> >          ike=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768!
> >
> > esp=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
> >          keyexchange=3Dikev1
> >          ikelifetime=3D3h
> >          keylife=3D1h
> >          dpdaction=3Dclear
> >          dpddelay=3D30
> >          dpdtimeout=3D120
> >          authby=3Dxauthrsasig
> >          xauth=3Dserver
> >          auto=3Dadd
> >          rightsourceip=3D10.0.10.0/29 <http://10.0.10.0/29>
> >          fragmentation=3Dyes
> >
> > Why this patch? it allows to have a functional visual on VPN connections
> > in the vpnmain.cgi page. Everything that is IOS or Android works with
> > Xauth, you do not support this type of device.
>
>
>
>



--===============4588696480614157719==
Content-Type: text/html
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"
MIME-Version: 1.0

PGRpdiBkaXI9ImF1dG8iPjxzcGFuIHN0eWxlPSJtYXJnaW46MHB4O3BhZGRpbmc6MHB4O2NvbG9y
OnJnYigyNywzMCwzNyk7Zm9udC1mYW1pbHk6cm9ib3RvLHNhbnMtc2VyaWY7Zm9udC1zaXplOjE2
cHg7d2hpdGUtc3BhY2U6cHJlLXdyYXA7YmFja2dyb3VuZC1jb2xvcjpyZ2IoMjQ4LDI0OCwyNDgp
Ij5JIHByZXNlbnQgd2hhdCBJIGtub3cgdGhhdCB3b3Jrcy4gIFNpbmNlIEkgaGF2ZW4mIzM5O3Qg
dGVzdGVkLCBidXQgaWYgeW91IHNheSBzbywgaXQmIzM5O3MgdG8gYmUgdGVzdGVkLiAKIAoKCgoK
SSB3YXMgZm9yZ2V0dGluZywgb2YgY291cnNlLCB4YXV0aCBuZWVkcyBhIGxvZ2luL3Bhc3N3b3Jk
IHBhaXIgdG8gZGVjbGFyZSBpbiBpcHNlYy51c2VyLnNlY3JldC48L3NwYW4+PGRpdiBzdHlsZT0i
bWFyZ2luOjBweDtwYWRkaW5nOjBweDtjb2xvcjpyZ2IoMjcsMzAsMzcpO2ZvbnQtZmFtaWx5OnJv
Ym90byxzYW5zLXNlcmlmO2ZvbnQtc2l6ZToxNnB4O3doaXRlLXNwYWNlOnByZS13cmFwO2JhY2tn
cm91bmQtY29sb3I6cmdiKDI0OCwyNDgsMjQ4KTtkaXNwbGF5OmlubGluZS1ibG9jazt3aWR0aDoy
NXB4O2hlaWdodDoxMHB4IiBkaXI9ImF1dG8iPjwvZGl2PjwvZGl2Pjxicj48ZGl2IGNsYXNzPSJn
bWFpbF9xdW90ZSI+PGRpdiBkaXI9Imx0ciI+TGUgbWFyLiAxMCBqdWlsLiAyMDE4IMOgIDIwOjEx
LCBUb20gUnltZXMgJmx0OzxhIGhyZWY9Im1haWx0bzp0cnltZXNAcnltZXMuY29tIj50cnltZXNA
cnltZXMuY29tPC9hPiZndDsgYSDDqWNyaXTCoDo8YnI+PC9kaXY+PGJsb2NrcXVvdGUgY2xhc3M9
ImdtYWlsX3F1b3RlIiBzdHlsZT0ibWFyZ2luOjAgMCAwIC44ZXg7Ym9yZGVyLWxlZnQ6MXB4ICNj
Y2Mgc29saWQ7cGFkZGluZy1sZWZ0OjFleCI+SWYgSSBtYXkgYXNrLCB3aHkgSUtFdjE/IE1vZGVy
biBpT1MgYW5kIEFuZHJvaWQgYm90aCBzdXBwb3J0IElLRXYyLCA8YnI+CmRvbiYjMzk7dCB0aGV5
Pzxicj4KPGJyPgpUb208YnI+Cjxicj4KT24gMDcvMTAvMjAxOCAyOjA3IFBNLCBKdWxpZW4gQmxh
aXMgd3JvdGU6PGJyPgomZ3Q7IEhpIE1pY2hhZWwsPGJyPgomZ3Q7IDxicj4KJmd0OyA8YnI+CiZn
dDsgRm9yIGl0IHRvIHdvcmssIHlvdSBzaW1wbHkgbmVlZCB0byBnZW5lcmF0ZSBhIFJvYWR3YXJy
aW9yIGNvbm5lY3Rpb24gcGVyIDxicj4KJmd0OyBjZXJ0aWZpY2F0ZS4gVGhlbiwgY2hhbmdlIHdo
YXQgaXMgcmVkLCBlaXRoZXIgcmVwbGFjZSBjZXJ0IGJ5IDxicj4KJmd0OyB4YXV0aHJzYXNpZ2V0
IHB1dCBpa2V2MSBpbnN0ZWFkIG9mIGlrZXYyLjxicj4KJmd0OyA8YnI+CiZndDsgW3Jvb3RAaXBm
aXJlIH5dIyBjYXQgL3Zhci9pcGZpcmUvdnBuL2NvbmZpZzxicj4KJmd0OyAyLG9uLFhpYW9taSxY
aWFvbWksaG9zdCx4YXV0aHJzYXNpZywsb2ZmLCw8YSBocmVmPSJodHRwOi8vMTkyLjE2OC4xMC4w
LzI1NS4yNTUuMjU1LjAsLCwxMC4wLjEwLjAvMjksb2ZmLCwsb2ZmLDMsMSxhZXMyNTYsc2hhMl81
MTIsMTAyNCU3Qzc2OCxhZXMyNTYsc2hhMl81MTIsMTAyNCU3Qzc2OCU3Q25vbmUsb24sLCxjbGVh
cixvbiIgcmVsPSJub3JlZmVycmVyIG5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj4xOTIuMTY4
LjEwLjAvMjU1LjI1NS4yNTUuMCwsLDEwLjAuMTAuMC8yOSxvZmYsLCxvZmYsMywxLGFlczI1Nixz
aGEyXzUxMiwxMDI0fDc2OCxhZXMyNTYsc2hhMl81MTIsMTAyNHw3Njh8bm9uZSxvbiwsLGNsZWFy
LG9uPC9hPiA8YnI+CiZndDsgJmx0OzxhIGhyZWY9Imh0dHA6Ly8xOTIuMTY4LjEwLjAvMjU1LjI1
NS4yNTUuMCwsLDEwLjAuMTAuMC8yOSxvZmYsLCxvZmYsMywxLGFlczI1NixzaGEyXzUxMiwxMDI0
JTdDNzY4LGFlczI1NixzaGEyXzUxMiwxMDI0JTdDNzY4JTdDbm9uZSxvbiwsLGNsZWFyLG9uIiBy
ZWw9Im5vcmVmZXJyZXIgbm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly8xOTIuMTY4
LjEwLjAvMjU1LjI1NS4yNTUuMCwsLDEwLjAuMTAuMC8yOSxvZmYsLCxvZmYsMywxLGFlczI1Nixz
aGEyXzUxMiwxMDI0JTdDNzY4LGFlczI1NixzaGEyXzUxMiwxMDI0JTdDNzY4JTdDbm9uZSxvbiws
LGNsZWFyLG9uPC9hPiZndDssaWtldjEsMTIwLDMwLG9mZixzdGFydCw5MDA8YnI+CiZndDsgPGJy
PgomZ3Q7IEhlcmUgaXMgdGhlIHJlc3VsdCBpbiB0aGUgZmlsZSA6PGJyPgomZ3Q7IDxicj4KJmd0
OyBjb25uIFhpYW9taTxicj4KJmd0O8KgIMKgwqDCoMKgwqDCoMKgIGxlZnQ9PGEgaHJlZj0iaHR0
cDovL3Zwbi5qYnNreS5mciIgcmVsPSJub3JlZmVycmVyIG5vcmVmZXJyZXIiIHRhcmdldD0iX2Js
YW5rIj52cG4uamJza3kuZnI8L2E+ICZsdDs8YSBocmVmPSJodHRwOi8vdnBuLmpic2t5LmZyIiBy
ZWw9Im5vcmVmZXJyZXIgbm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly92cG4uamJz
a3kuZnI8L2E+Jmd0Ozxicj4KJmd0O8KgIMKgwqDCoMKgwqDCoMKgIGxlZnRzdWJuZXQ9PGEgaHJl
Zj0iaHR0cDovLzE5Mi4xNjguMC4wLzI0IiByZWw9Im5vcmVmZXJyZXIgbm9yZWZlcnJlciIgdGFy
Z2V0PSJfYmxhbmsiPjE5Mi4xNjguMC4wLzI0PC9hPiAmbHQ7PGEgaHJlZj0iaHR0cDovLzE5Mi4x
NjguMC4wLzI0IiByZWw9Im5vcmVmZXJyZXIgbm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0
dHA6Ly8xOTIuMTY4LjAuMC8yNDwvYT4mZ3Q7PGJyPgomZ3Q7wqAgwqDCoMKgwqDCoMKgwqAgbGVm
dGZpcmV3YWxsPXllczxicj4KJmd0O8KgIMKgwqDCoMKgwqDCoMKgIGxlZnRob3N0YWNjZXNzPXll
czxicj4KJmd0O8KgIMKgwqDCoMKgwqDCoMKgIHJpZ2h0PSVhbnk8YnI+CiZndDvCoCDCoMKgwqDC
oMKgwqDCoCBsZWZ0Y2VydD0vdmFyL2lwZmlyZS9jZXJ0cy9ob3N0Y2VydC5wZW08YnI+CiZndDvC
oCDCoMKgwqDCoMKgwqDCoCByaWdodGNlcnQ9L3Zhci9pcGZpcmUvY2VydHMvWGlhb21pY2VydC5w
ZW08YnI+CiZndDvCoCDCoMKgwqDCoMKgwqDCoCBpa2U9YWVzMjU2LXNoYTJfNTEyLW1vZHAxMDI0
LGFlczI1Ni1zaGEyXzUxMi1tb2RwNzY4ITxicj4KJmd0O8KgIMKgIMKgIMKgIMKgIDxicj4KJmd0
OyBlc3A9YWVzMjU2LXNoYTJfNTEyLW1vZHAxMDI0LGFlczI1Ni1zaGEyXzUxMi1tb2RwNzY4LGFl
czI1Ni1zaGEyXzUxMiE8YnI+CiZndDvCoCDCoMKgwqDCoMKgwqDCoCBrZXlleGNoYW5nZT1pa2V2
MTxicj4KJmd0O8KgIMKgwqDCoMKgwqDCoMKgIGlrZWxpZmV0aW1lPTNoPGJyPgomZ3Q7wqAgwqDC
oMKgwqDCoMKgwqAga2V5bGlmZT0xaDxicj4KJmd0O8KgIMKgwqDCoMKgwqDCoMKgIGRwZGFjdGlv
bj1jbGVhcjxicj4KJmd0O8KgIMKgwqDCoMKgwqDCoMKgIGRwZGRlbGF5PTMwPGJyPgomZ3Q7wqAg
wqDCoMKgwqDCoMKgwqAgZHBkdGltZW91dD0xMjA8YnI+CiZndDvCoCDCoMKgwqDCoMKgwqDCoCBh
dXRoYnk9eGF1dGhyc2FzaWc8YnI+CiZndDvCoCDCoMKgwqDCoMKgwqDCoCB4YXV0aD1zZXJ2ZXI8
YnI+CiZndDvCoCDCoMKgwqDCoMKgwqDCoCBhdXRvPWFkZDxicj4KJmd0O8KgIMKgwqDCoMKgwqDC
oMKgIHJpZ2h0c291cmNlaXA9PGEgaHJlZj0iaHR0cDovLzEwLjAuMTAuMC8yOSIgcmVsPSJub3Jl
ZmVycmVyIG5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj4xMC4wLjEwLjAvMjk8L2E+ICZsdDs8
YSBocmVmPSJodHRwOi8vMTAuMC4xMC4wLzI5IiByZWw9Im5vcmVmZXJyZXIgbm9yZWZlcnJlciIg
dGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly8xMC4wLjEwLjAvMjk8L2E+Jmd0Ozxicj4KJmd0O8KgIMKg
wqDCoMKgwqDCoMKgIGZyYWdtZW50YXRpb249eWVzPGJyPgomZ3Q7IDxicj4KJmd0OyBXaHkgdGhp
cyBwYXRjaD8gaXQgYWxsb3dzIHRvIGhhdmUgYSBmdW5jdGlvbmFsIHZpc3VhbCBvbiBWUE4gY29u
bmVjdGlvbnMgPGJyPgomZ3Q7IGluIHRoZSB2cG5tYWluLmNnaSBwYWdlLiBFdmVyeXRoaW5nIHRo
YXQgaXMgSU9TIG9yIEFuZHJvaWQgd29ya3Mgd2l0aCA8YnI+CiZndDsgWGF1dGgsIHlvdSBkbyBu
b3Qgc3VwcG9ydCB0aGlzIHR5cGUgb2YgZGV2aWNlLjxicj4KPGJyPgo8YnI+Cjxicj4KPC9ibG9j
a3F1b3RlPjwvZGl2Pgo=

--===============4588696480614157719==--


From michael.tremer@ipfire.org Wed Jul 11 14:14:34 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] Fix hook for static address configuration.
Date: Wed, 11 Jul 2018 14:14:33 +0100
Message-ID: <dd0ef20984d2bafc855c946dacefd4ccb70b1d63.camel@ipfire.org>
In-Reply-To: <20180710180451.4001-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5437190989210055858=="

--===============5437190989210055858==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Tue, 2018-07-10 at 20:04 +0200, Stefan Schantl wrote:
> Add the required hook_new function and "id" information which have been
> introduced in earlier commits to make this hook work again.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  src/hooks/configs/static | 26 +++++++++++++++++++++++++-
>  1 file changed, 25 insertions(+), 1 deletion(-)
> 
> diff --git a/src/hooks/configs/static b/src/hooks/configs/static
> index 91bba8a..37f3d32 100644
> --- a/src/hooks/configs/static
> +++ b/src/hooks/configs/static
> @@ -52,6 +52,8 @@ hook_check_config_settings() {
>  
>  hook_parse_cmdline() {
>  	local protocol
> +	local id="${1}"
> +	shift
>  
>  	while [ $# -gt 0 ]; do
>  		case "${1}" in
> @@ -153,12 +155,34 @@ hook_parse_cmdline() {
>  	fi
>  
>  	# Check any conflicts
> -	if zone_config_check_same_setting "${zone}" "static" "ADDRESS"
> "${ADDRESS}"; then
> +	if zone_config_check_same_setting "${zone}" "static" "${id}"
> "ADDRESS" "${ADDRESS}"; then
>  		error "A static configuration with the same address is
> already configured"
>  		return ${EXIT_CONF_ERROR}
>  	fi
>  }
>  
> +hook_new() {
> +	local zone="${1}"
> +	shift
> +
> +	if zone_config_hook_is_configured ${zone} "static"; then
> +		log ERROR "You can configure the static hook only once for a
> zone"
> +		return ${EXIT_ERROR}
> +	fi

This is incorrect. Why should it only be possible once?

> +
> +	local id=$(zone_config_get_new_id ${zone})
> +	log DEBUG "ID for the config is: ${id}"
> +
> +	if ! hook_parse_cmdline "${id}" "$@"; then
> +		# Return an error if the parsing of the cmd line fails
> +		return ${EXIT_ERROR}
> +	fi
> +
> +	zone_config_settings_write "${zone}" "${HOOK}" "${id}"
> +
> +	exit ${EXIT_OK}
> +}
> +
>  hook_up() {
>  	local zone="${1}"
>  	local config="${2}"

--===============5437190989210055858==--


From peter.mueller@link38.eu Wed Jul 11 20:49:13 2018
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Upcoming telephone conference regarding IDS situation in 2.x
Date: Wed, 11 Jul 2018 21:48:57 +0200
Message-ID: <1917827b-81ab-9130-79e8-8c85b8cf8872@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1851975900619563194=="

--===============1851975900619563194==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello *,

just for those who are interested: There will be a telephone conference
on 20:00 CEST next Monday (16.07.) in conference room 1 regarding the IDS
situation in IPFire 2.x .

Over time, some bugs have been collected and we need to decide about
the next step. On possibility is to keep Snort in 2.x and fix these bugs
so we have a clean setup there. The other way Stefan and myself worked
out is to switch to Suricata in 2.x (for 3.x, it is already settled, so
we have to deal with it sooner or later) and use a completely new IDS CGI.

For the latter, Stefan already did some work:
https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dshortlog;h=3Dref=
s/heads/ids.cgi-new

In case anybody is interested, please join.

@Michael: Raise hand in case room 1 is occupied on this evening. Thanks. :-)

Thanks, and Best regards,
Peter M=C3=BCller
--=20
"We don't care.  We don't have to.  We're the Phone Company."


--===============1851975900619563194==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE
SnlyUkxrMlVqeUQzMTduMmdGQWx0R1h5a0FDZ2tRMlVqeUQzMTcKbjJpVzVnLzlFNjNQd0dpOXZR
bzRFVTJOYkJLRHU5MW4ycGw5aXR0Qk1WZWk3N1pGN01CUFR0Tnh4eGdrZWpiSAppc1ZJSWxzekgx
bmxLU0czdEI0dzNyWE9TUmZHTDFJWlAyOEJnVFgwV0tGYTQ3d1FsdGVnalk3TVZnNlJyQzRqCkx2
WS9NSWhaZFNBSldxTmVXMnZwSXFPTVJVRW44RmJoVFM1SVU5TDNTelFYS2ZzbHFkN2JvSElJbGN3
L1h4SzcKQnN1MDBBdUl6SzZpd0o4ejdHdVdjUTlibGk3Zk53S3Fhc0RSNHM2V3hjdTdMa1RpTUsw
Y1lsbkxadk9OV1BWZQpuM1NFNVk3cWZpbzZPN0ZmRFVKWjcyakc1QUNObVpVVFh0ZzhGWlA0MUlF
VWdsY1YyK2grTEk1NjRhUzNTekN6CkJ0bGpKRkRWcjJrL243N2JDYlgxcFRTYStDclhoaTJHYTJR
b0dtZllqNWdXamszSlJkWjl0MzhuY1ljdVRmcEkKQUFVeFJlMFIvVHcwZTNoVERxYmoyWmtBeFI2
OEpKUkEwODRBS0RtSXZhdVplVkRNeXZ1Y3hjU1NTY1FHTEIyUwpjSWJZZGlCM0IxTFBPMXd3TFlo
dEpSbkpJOHhrcGdPWENwOWJjRjFTbEFaekNlUUpncmpCMHpvTDhBWlRPSlVlCktZMzlhU1ZQZzJj
QXdyaFh5YkNNQXRKdDg5dkxCMVI4Q0RrOG83S0toMlZvLzFMYjVWSFMrM0tzTkM5RkxIWkwKOEU4
YWIzZ1Q1VWlHR0Y0eE5FVExBWlJMZjltMzBFc09POG4wNnV5VUhOVld6Q3lEazl4cmIxZjNLNk4z
WEhZcwo0STlXbUlvdGRhQ0tuR1laQWRIV0Z4YWR1b2VTOFNBczFoZTFHVnZCR3JUdFVGcm96MlE9
Cj1uQ3d0Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============1851975900619563194==--


From michael.tremer@ipfire.org Thu Jul 12 09:53:06 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Upcoming telephone conference regarding IDS situation in 2.x
Date: Thu, 12 Jul 2018 09:53:05 +0100
Message-ID: <c1ec0c039ef6fb9910af74fc53bd7b60e72c95bf.camel@ipfire.org>
In-Reply-To: <1917827b-81ab-9130-79e8-8c85b8cf8872@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6156964012579981222=="

--===============6156964012579981222==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Wed, 2018-07-11 at 21:48 +0200, Peter M=C3=BCller wrote:
> Hello *,
>=20
> just for those who are interested: There will be a telephone conference
> on 20:00 CEST next Monday (16.07.) in conference room 1 regarding the IDS
> situation in IPFire 2.x .
>=20
> Over time, some bugs have been collected and we need to decide about
> the next step. On possibility is to keep Snort in 2.x and fix these bugs
> so we have a clean setup there. The other way Stefan and myself worked
> out is to switch to Suricata in 2.x (for 3.x, it is already settled, so
> we have to deal with it sooner or later) and use a completely new IDS CGI.
>=20
> For the latter, Stefan already did some work:
> https://git.ipfire.org/?p=3Dpeople/stevee/ipfire-2.x.git;a=3Dshortlog;h=3Dr=
efs/heads
> /ids.cgi-new
>=20
> In case anybody is interested, please join.
>=20
> @Michael: Raise hand in case room 1 is occupied on this evening. Thanks. :-)

No, we don't have that many concurrent conferences going on at the same time =
:)

The number to dial in is 901.

Best,
- -Michael

>=20
> Thanks, and Best regards,
> Peter M=C3=BCller
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAltHFvEACgkQgHnw/2+Q
CQdg2Q/9Ge7z+zA3AlVfpKh6gq/LZBd4W2bWWbjHPA/BVFT/cX0lJSzK1dSm4+Oq
iwboBv9tbkxEBNDVY2+Bufei7CCQo6Zj+cVrAyqG5FF8aqkDX0QP1xVcJzNm/Xf9
HFjpmc2c+cmsZa4Z9WSsQuld51A5i+E/ZCFh+H9l6vGw4vPRSRq7kn0nMoRPYVsO
9maJXYD+PiM70t7OjLIwpldQKgL9/oZDbpoANwBmhJHp0u9aHrnw3J3FdKtmm/nh
TByql27CEPvP7dvyz03JO5U60f5IcyBoHG808rvquKB/fnOtGK8JAfYzlXzuR5qD
mjwiAry6OLr5GeVTwPLrMGQMu1JBxgee7Xcnd6wp3l9BMC1BUhRCFAyvnx+63eIY
OxDStgY0S9zxOkrIV0ZKTLTPgQ635eR+v7eaen1evak7yiV+yJ6zw4c1DBI466qs
zplt4nbYMn41G65tCr6LCoIfghv0R8oA7uwdET5G6Hgb2yaVGTxbK5jPjSeYs30f
ME9Wab7llC9dGflYiBHCcXXWTHOZhV7BAwOXwGIdXklacpNkvkiaXHzY6Lfk9sdB
mBsE+kd9mSpP5tAjw2EAqpGds9ClGw93xMRMOrQ6ROvaxk5jzdhszPw/2wSlnMnL
FKmJWt1J3vkg0WeUBKh7agsOXZJS0BQefLL6M9Ft34UVMRP0dz0=3D
=3D5RHb
-----END PGP SIGNATURE-----


--===============6156964012579981222==--


From michael.tremer@ipfire.org Thu Jul 12 10:30:46 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
Date: Thu, 12 Jul 2018 10:30:45 +0100
Message-ID: <9a8c527624c8dda597bd27ba0ae01861ed03383f.camel@ipfire.org>
In-Reply-To:
 <CAP6ncsnpm30AVsfVE2ywCYQsWu-qjuqASC64Y2eZ+Nq7++V6Dg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2257217116340867868=="

--===============2257217116340867868==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:
> I present what I know that works.  Since I haven't tested, but if you say s=
o,
> it's to be tested.=20

I suppose setting rightauth=3Dxauth should work for IKEv2 as well as IKEv1.

> I was forgetting, of course, xauth needs a login/password pair to declare in
> ipsec.user.secret.

This kind of renders the patch useless then if there is no way to set username
and password. This could be added to the connection just like entering the PS=
K.

Best,
-Michael

> Le mar. 10 juil. 2018 =C3=A0 20:11, Tom Rymes <trymes(a)rymes.com> a =C3=A9=
crit :
> > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,=20
> > don't they?
> >=20
> > Tom
> >=20
> > On 07/10/2018 2:07 PM, Julien Blais wrote:
> > > Hi Michael,
> > >=20
> > >=20
> > > For it to work, you simply need to generate a Roadwarrior connection pe=
r=20
> > > certificate. Then, change what is red, either replace cert by=20
> > > xauthrsasiget put ikev1 instead of ikev2.
> > >=20
> > > [root(a)ipfire ~]# cat /var/ipfire/vpn/config
> > >
> > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.0/255.255.255.0,,,10=
.0.
> > 10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_512,1024|768|n=
one
> > ,on,,,clear,on=20
> > > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,off,3,1,aes256,=
sha
> > 2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,clear,on>,ikev1,1=
20,
> > 30,off,start,900
> > >=20
> > > Here is the result in the file :
> > >=20
> > > conn Xiaomi
> > >          left=3Dvpn.jbsky.fr <http://vpn.jbsky.fr>
> > >          leftsubnet=3D192.168.0.0/24 <http://192.168.0.0/24>
> > >          leftfirewall=3Dyes
> > >          lefthostaccess=3Dyes
> > >          right=3D%any
> > >          leftcert=3D/var/ipfire/certs/hostcert.pem
> > >          rightcert=3D/var/ipfire/certs/Xiaomicert.pem
> > >          ike=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768!
> > >         =20
> > > esp=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768,aes256-sha2_512!
> > >          keyexchange=3Dikev1
> > >          ikelifetime=3D3h
> > >          keylife=3D1h
> > >          dpdaction=3Dclear
> > >          dpddelay=3D30
> > >          dpdtimeout=3D120
> > >          authby=3Dxauthrsasig
> > >          xauth=3Dserver
> > >          auto=3Dadd
> > >          rightsourceip=3D10.0.10.0/29 <http://10.0.10.0/29>
> > >          fragmentation=3Dyes
> > >=20
> > > Why this patch? it allows to have a functional visual on VPN connection=
s=20
> > > in the vpnmain.cgi page. Everything that is IOS or Android works with=20
> > > Xauth, you do not support this type of device.
> >=20
> >=20
> >=20

--===============2257217116340867868==--


From blais.julien.30@gmail.com Thu Jul 12 12:32:56 2018
From: Julien Blais <blais.julien.30@gmail.com>
To: development@lists.ipfire.org
Subject: Re: [PATCH 1/2] File modified : html/cgi-bin/vpnmain.cgi
Date: Thu, 12 Jul 2018 13:32:53 +0200
Message-ID:
 <CAP6ncskKtPTS9mYmx2O=juGSUc=8RcAikBypMte0LSfDK+FApg@mail.gmail.com>
In-Reply-To: <9a8c527624c8dda597bd27ba0ae01861ed03383f.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1073801437983485488=="

--===============1073801437983485488==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

I tested with ikev2, unfortunately, it doesn't work.

Jul 10 22:33:58 ipfire charon: 13[IKE] no IKE config found for IP1...IP2
sending NO_PROPOSAL_CHOSEN


I remind you that you have a page dedicated to this type of connection,
here I can read IKEv1. :)
https://wiki.ipfire.org/configuration/services/ipsec/example_configuration-_r=
oadwarrior_with_android
As a reminder, the configuration to put in the file
/etc/ipsec.user.secret.user

cat /etc/ipsec.user.secret.user
Xiaomi : XAUTH "PASSWORD"
To apply the idea I propose, you need to know how to use the Bash, and add
a login/password data set, it's as easy as modifying in the vpn config file.

I wish to highlight one positive point, by going through the @ipfire:444
frontend, changing the options of a VPN connection, example
IKEv1->IKEv2->IKEv1, keeps the xauthrsasig parameter.

It's not an unnecessary fix, that despite a change from the @IPFIRE:444
interface, it keeps the "xauthrsasig" record and writes the VPN connection
configuration correctly.

The real question is who will use this improvement?

This is a first step towards XAUTH support, but you still have to want to
take it.

Le jeu. 12 juil. 2018 =C3=A0 11:30, Michael Tremer <michael.tremer(a)ipfire.o=
rg> a
=C3=A9crit :

> On Tue, 2018-07-10 at 20:17 +0200, Julien Blais wrote:
> > I present what I know that works.  Since I haven't tested, but if you
> say so,
> > it's to be tested.
>
> I suppose setting rightauth=3Dxauth should work for IKEv2 as well as IKEv1.
>
> > I was forgetting, of course, xauth needs a login/password pair to
> declare in
> > ipsec.user.secret.
>
> This kind of renders the patch useless then if there is no way to set
> username
> and password. This could be added to the connection just like entering the
> PSK.
>
> Best,
> -Michael
>
> > Le mar. 10 juil. 2018 =C3=A0 20:11, Tom Rymes <trymes(a)rymes.com> a =C3=
=A9crit :
> > > If I may ask, why IKEv1? Modern iOS and Android both support IKEv2,
> > > don't they?
> > >
> > > Tom
> > >
> > > On 07/10/2018 2:07 PM, Julien Blais wrote:
> > > > Hi Michael,
> > > >
> > > >
> > > > For it to work, you simply need to generate a Roadwarrior connection
> per
> > > > certificate. Then, change what is red, either replace cert by
> > > > xauthrsasiget put ikev1 instead of ikev2.
> > > >
> > > > [root(a)ipfire ~]# cat /var/ipfire/vpn/config
> > > >
> > > 2,on,Xiaomi,Xiaomi,host,xauthrsasig,,off,,192.168.10.
> 0/255.255.255.0,,,10.0.
> > > 10.0/29,off,,,off,3,1,aes256,sha2_512,1024|768,aes256,sha2_
> 512,1024|768|none
> > > ,on,,,clear,on
> > > > <http://192.168.10.0/255.255.255.0,,,10.0.10.0/29,off,,,
> off,3,1,aes256,sha
> > > 2_512,1024%7C768,aes256,sha2_512,1024%7C768%7Cnone,on,,,
> clear,on>,ikev1,120,
> > > 30,off,start,900
> > > >
> > > > Here is the result in the file :
> > > >
> > > > conn Xiaomi
> > > >          left=3Dvpn.jbsky.fr <http://vpn.jbsky.fr>
> > > >          leftsubnet=3D192.168.0.0/24 <http://192.168.0.0/24>
> > > >          leftfirewall=3Dyes
> > > >          lefthostaccess=3Dyes
> > > >          right=3D%any
> > > >          leftcert=3D/var/ipfire/certs/hostcert.pem
> > > >          rightcert=3D/var/ipfire/certs/Xiaomicert.pem
> > > >          ike=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768!
> > > >
> > > > esp=3Daes256-sha2_512-modp1024,aes256-sha2_512-modp768,
> aes256-sha2_512!
> > > >          keyexchange=3Dikev1
> > > >          ikelifetime=3D3h
> > > >          keylife=3D1h
> > > >          dpdaction=3Dclear
> > > >          dpddelay=3D30
> > > >          dpdtimeout=3D120
> > > >          authby=3Dxauthrsasig
> > > >          xauth=3Dserver
> > > >          auto=3Dadd
> > > >          rightsourceip=3D10.0.10.0/29 <http://10.0.10.0/29>
> > > >          fragmentation=3Dyes
> > > >
> > > > Why this patch? it allows to have a functional visual on VPN
> connections
> > > > in the vpnmain.cgi page. Everything that is IOS or Android works
> with
> > > > Xauth, you do not support this type of device.
> > >
> > >
> > >
>



--===============1073801437983485488==
Content-Type: text/html
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"
MIME-Version: 1.0

PGRpdiBkaXI9Imx0ciI+PGRpdiBkaXI9ImF1dG8iPjxkaXYgZGlyPSJhdXRvIj48Zm9udCBzaXpl
PSIyIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWYi
PkkgdGVzdGVkIHdpdGggaWtldjIsIHVuZm9ydHVuYXRlbHksIGl0IGRvZXNuJiMzOTt0IHdvcmsu
PC9zcGFuPjwvZm9udD48L2Rpdj48ZGl2IGRpcj0iYXV0byI+PGZvbnQgc2l6ZT0iMiI+PHNwYW4g
c3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIj48YnI+PC9zcGFu
PjwvZm9udD48L2Rpdj48ZGl2IGRpcj0iYXV0byI+PGZvbnQgc2l6ZT0iMiI+PHNwYW4gc3R5bGU9
ImZvbnQtZmFtaWx5OmFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlmIj5KdWwgMTAgMjI6MzM6NTgg
aXBmaXJlIGNoYXJvbjogMTNbSUtFXSBubyBJS0UgY29uZmlnIGZvdW5kIGZvciBJUDEuLi5JUDIg
c2VuZGluZyBOT19QUk9QT1NBTF9DSE9TRU48L3NwYW4+PC9mb250PjwvZGl2PjxkaXYgZGlyPSJh
dXRvIj48Zm9udCBzaXplPSIyIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsaGVsdmV0
aWNhLHNhbnMtc2VyaWYiPjxicj48L3NwYW4+PC9mb250PjwvZGl2PjxkaXYgZGlyPSJhdXRvIj48
Zm9udCBzaXplPSIyIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsaGVsdmV0aWNhLHNh
bnMtc2VyaWYiPgo8ZGl2Pjxmb250IHNpemU9IjIiIGZhY2U9InJvYm90bywgc2Fucy1zZXJpZiIg
Y29sb3I9IiMxYjFlMjUiPjxzcGFuIHN0eWxlPSJ3aGl0ZS1zcGFjZTpwcmUtd3JhcCI+PGJyPjwv
c3Bhbj48L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBzaXplPSIyIiBmYWNlPSJyb2JvdG8sIHNhbnMt
c2VyaWYiIGNvbG9yPSIjMWIxZTI1Ij48c3BhbiBzdHlsZT0id2hpdGUtc3BhY2U6cHJlLXdyYXAi
PkkgcmVtaW5kIHlvdSB0aGF0IHlvdSBoYXZlIGEgcGFnZSBkZWRpY2F0ZWQgdG8gdGhpcyB0eXBl
IG9mIGNvbm5lY3Rpb24sIGhlcmUgSSBjYW4gcmVhZCBJS0V2MS4gOik8YnI+PC9zcGFuPjwvZm9u
dD48L2Rpdj48ZGl2Pjxmb250IHNpemU9IjIiIGZhY2U9InJvYm90bywgc2Fucy1zZXJpZiIgY29s
b3I9IiMxYjFlMjUiPjxzcGFuIHN0eWxlPSJ3aGl0ZS1zcGFjZTpwcmUtd3JhcCI+PC9zcGFuPjwv
Zm9udD48Zm9udCBmYWNlPSJyb2JvdG8sIHNhbnMtc2VyaWYiIGNvbG9yPSIjMWIxZTI1Ij48c3Bh
biBzdHlsZT0iZm9udC1zaXplOjE2cHg7d2hpdGUtc3BhY2U6cHJlLXdyYXAiPjxmb250IHNpemU9
IjIiPjxhIGhyZWY9Imh0dHBzOi8vd2lraS5pcGZpcmUub3JnL2NvbmZpZ3VyYXRpb24vc2Vydmlj
ZXMvaXBzZWMvZXhhbXBsZV9jb25maWd1cmF0aW9uLV9yb2Fkd2Fycmlvcl93aXRoX2FuZHJvaWQi
Pmh0dHBzOi8vd2lraS5pcGZpcmUub3JnL2NvbmZpZ3VyYXRpb24vc2VydmljZXMvaXBzZWMvZXhh
bXBsZV9jb25maWd1cmF0aW9uLV9yb2Fkd2Fycmlvcl93aXRoX2FuZHJvaWQ8L2E+PC9mb250Pjwv
c3Bhbj48L2ZvbnQ+PC9kaXY+PGRpdj48Zm9udCBmYWNlPSJyb2JvdG8sIHNhbnMtc2VyaWYiIGNv
bG9yPSIjMWIxZTI1Ij48c3BhbiBzdHlsZT0iZm9udC1zaXplOjE2cHg7d2hpdGUtc3BhY2U6cHJl
LXdyYXAiPjxmb250IHNpemU9IjIiPjwvZm9udD48L3NwYW4+PC9mb250PjwvZGl2PjxkaXY+PGZv
bnQgZmFjZT0icm9ib3RvLCBzYW5zLXNlcmlmIiBjb2xvcj0iIzFiMWUyNSI+PHNwYW4gc3R5bGU9
ImZvbnQtc2l6ZToxNnB4O3doaXRlLXNwYWNlOnByZS13cmFwIj48Zm9udCBzaXplPSIyIj4KPGRp
diBkaXI9ImF1dG8iPjxmb250IHNpemU9IjIiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTphcmlh
bCxoZWx2ZXRpY2Esc2Fucy1zZXJpZiI+QXMgYSByZW1pbmRlciwgdGhlIGNvbmZpZ3VyYXRpb24g
dG8gcHV0IGluIHRoZSBmaWxlIDxmb250IHNpemU9IjIiPjxzcGFuIHN0eWxlPSJmb250LWZhbWls
eTphcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZiI+L2V0Yy9pcHNlYy51c2VyLnNlY3JldC51c2Vy
PC9zcGFuPjwvZm9udD48L3NwYW4+PC9mb250PjwvZGl2PjxkaXYgZGlyPSJhdXRvIj48Zm9udCBz
aXplPSIyIj48c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsaGVsdmV0aWNhLHNhbnMtc2Vy
aWYiPjxmb250IHNpemU9IjIiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxoZWx2ZXRp
Y2Esc2Fucy1zZXJpZiI+PGJyPjwvc3Bhbj48L2ZvbnQ+PC9zcGFuPjwvZm9udD48L2Rpdj48ZGl2
IGRpcj0iYXV0byI+PGZvbnQgc2l6ZT0iMiI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFs
LGhlbHZldGljYSxzYW5zLXNlcmlmIj48Zm9udCBzaXplPSIyIj48c3BhbiBzdHlsZT0iZm9udC1m
YW1pbHk6YXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWYiPjwvc3Bhbj48L2ZvbnQ+Y2F0IC9ldGMv
aXBzZWMudXNlci5zZWNyZXQudXNlcjxicj5YaWFvbWkgOiBYQVVUSCAmcXVvdDtQQVNTV09SRCZx
dW90Ozwvc3Bhbj48L2ZvbnQ+PGZvbnQgZmFjZT0icm9ib3RvLCBzYW5zLXNlcmlmIiBjb2xvcj0i
IzFiMWUyNSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNnB4O3doaXRlLXNwYWNlOnByZS13cmFw
Ij48YnI+PC9zcGFuPjwvZm9udD48L2Rpdj48L2ZvbnQ+PC9zcGFuPjwvZm9udD48L2Rpdj48ZGl2
IGRpcj0iYXV0byI+PGZvbnQgZmFjZT0icm9ib3RvLCBzYW5zLXNlcmlmIiBjb2xvcj0iIzFiMWUy
NSI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxNnB4O3doaXRlLXNwYWNlOnByZS13cmFwIj48Zm9u
dCBzaXplPSIyIj4KPGRpdiBkaXI9ImF1dG8iPjxmb250IHNpemU9IjIiPjxzcGFuIHN0eWxlPSJm
b250LWZhbWlseTphcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJpZiI+PHNwYW4gc3R5bGU9ImNvbG9y
OnJnYigyNywzMCwzNyk7d2hpdGUtc3BhY2U6cHJlLXdyYXA7YmFja2dyb3VuZC1jb2xvcjpyZ2Io
MjQ4LDI0OCwyNDgpIj5UbyBhcHBseSB0aGUgaWRlYSBJIHByb3Bvc2UsIHlvdSBuZWVkIHRvIGtu
b3cgaG93IHRvIHVzZSB0aGUgQmFzaCwgYW5kIGFkZCBhIGxvZ2luL3Bhc3N3b3JkIGRhdGEgc2V0
LCBpdCYjMzk7cyBhcyBlYXN5IGFzIG1vZGlmeWluZyBpbiB0aGUgdnBuIGNvbmZpZyBmaWxlLjwv
c3Bhbj48L3NwYW4+PC9mb250PjwvZGl2PjxkaXYgZGlyPSJhdXRvIj48Zm9udCBzaXplPSIyIj48
c3BhbiBzdHlsZT0iZm9udC1mYW1pbHk6YXJpYWwsaGVsdmV0aWNhLHNhbnMtc2VyaWYiPjxzcGFu
IHN0eWxlPSJjb2xvcjpyZ2IoMjcsMzAsMzcpO3doaXRlLXNwYWNlOnByZS13cmFwO2JhY2tncm91
bmQtY29sb3I6cmdiKDI0OCwyNDgsMjQ4KSI+PC9zcGFuPjwvc3Bhbj48L2ZvbnQ+PGZvbnQgc2l6
ZT0iMiI+PHNwYW4gc3R5bGU9ImZvbnQtZmFtaWx5OmFyaWFsLGhlbHZldGljYSxzYW5zLXNlcmlm
Ij48YnI+PC9zcGFuPjwvZm9udD48L2Rpdj48ZGl2IGRpcj0iYXV0byI+PGZvbnQgY29sb3I9IiMx
YjFlMjUiPjxzcGFuIHN0eWxlPSJmb250LWZhbWlseTphcmlhbCxoZWx2ZXRpY2Esc2Fucy1zZXJp
ZiI+SSB3aXNoIHRvIGhpZ2hsaWdodCBvbmUgcG9zaXRpdmUgcG9pbnQsIGJ5IGdvaW5nIHRocm91
Z2ggdGhlIEBpcGZpcmU6NDQ0IGZyb250ZW5kLCBjaGFuZ2luZyB0aGUgb3B0aW9ucyBvZiBhIFZQ
TiBjb25uZWN0aW9uLCBleGFtcGxlIElLRXYxLSZndDtJS0V2Mi0mZ3Q7SUtFdjEsIGtlZXBzIHRo
ZSB4YXV0aHJzYXNpZyBwYXJhbWV0ZXIuPC9zcGFuPjxmb250IGZhY2U9InJvYm90bywgc2Fucy1z
ZXJpZiI+PGJyPjwvZm9udD48L2ZvbnQ+PC9kaXY+PGRpdiBkaXI9ImF1dG8iPjxmb250IGNvbG9y
PSIjMWIxZTI1Ij48Zm9udCBmYWNlPSJyb2JvdG8sIHNhbnMtc2VyaWYiPjxicj48L2ZvbnQ+PC9m
b250PjwvZGl2PjxkaXYgZGlyPSJhdXRvIj48Zm9udCBjb2xvcj0iIzFiMWUyNSI+PGZvbnQgZmFj
ZT0icm9ib3RvLCBzYW5zLXNlcmlmIj5JdCYjMzk7cyBub3QgYW4gdW5uZWNlc3NhcnkgZml4LCB0
aGF0IGRlc3BpdGUgYSBjaGFuZ2UgZnJvbSB0aGUgQElQRklSRTo0NDQgaW50ZXJmYWNlLCBpdCBr
ZWVwcyB0aGUgJnF1b3Q7eGF1dGhyc2FzaWcmcXVvdDsgcmVjb3JkIGFuZCB3cml0ZXMgdGhlIFZQ
TiBjb25uZWN0aW9uIGNvbmZpZ3VyYXRpb24gY29ycmVjdGx5LjwvZm9udD48L2ZvbnQ+PGZvbnQg
ZmFjZT0icm9ib3RvLCBzYW5zLXNlcmlmIiBjb2xvcj0iIzFiMWUyNSI+PHNwYW4gc3R5bGU9ImZv
bnQtc2l6ZToxNnB4O3doaXRlLXNwYWNlOnByZS13cmFwIj48L3NwYW4+PC9mb250PjwvZGl2Pjwv
Zm9udD48L3NwYW4+PC9mb250PjxkaXY+PGJyPjxmb250IGZhY2U9InJvYm90bywgc2Fucy1zZXJp
ZiIgY29sb3I9IiMxYjFlMjUiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTZweDt3aGl0ZS1zcGFj
ZTpwcmUtd3JhcCI+PC9zcGFuPjwvZm9udD48L2Rpdj48ZGl2Pjxmb250IHNpemU9IjIiIGZhY2U9
InJvYm90bywgc2Fucy1zZXJpZiIgY29sb3I9IiMxYjFlMjUiPjxzcGFuIHN0eWxlPSJ3aGl0ZS1z
cGFjZTpwcmUtd3JhcCI+VGhlIHJlYWwgcXVlc3Rpb24gaXMgd2hvIHdpbGwgdXNlIHRoaXMgaW1w
cm92ZW1lbnQ/PC9zcGFuPjwvZm9udD48L2Rpdj48ZGl2Pjxmb250IHNpemU9IjIiIGZhY2U9InJv
Ym90bywgc2Fucy1zZXJpZiIgY29sb3I9IiMxYjFlMjUiPjxzcGFuIHN0eWxlPSJ3aGl0ZS1zcGFj
ZTpwcmUtd3JhcCI+PGJyPjwvc3Bhbj48L2ZvbnQ+PC9kaXY+PC9kaXY+PGRpdiBkaXI9ImF1dG8i
PlRoaXMgaXMgYSBmaXJzdCBzdGVwIHRvd2FyZHMgWEFVVEggc3VwcG9ydCwgYnV0IHlvdSBzdGls
bCBoYXZlIHRvIHdhbnQgdG8gdGFrZSBpdC48YnI+PC9kaXY+PC9zcGFuPjwvZm9udD48L2Rpdj48
L2Rpdj48YnI+PGRpdiBjbGFzcz0iZ21haWxfcXVvdGUiPjxkaXYgZGlyPSJsdHIiPkxlIGpldS4g
MTIganVpbC4gMjAxOCDDoCAxMTozMCwgTWljaGFlbCBUcmVtZXIgJmx0OzxhIGhyZWY9Im1haWx0
bzptaWNoYWVsLnRyZW1lckBpcGZpcmUub3JnIiB0YXJnZXQ9Il9ibGFuayI+bWljaGFlbC50cmVt
ZXJAaXBmaXJlLm9yZzwvYT4mZ3Q7IGEgw6ljcml0wqA6PGJyPjwvZGl2PjxibG9ja3F1b3RlIGNs
YXNzPSJnbWFpbF9xdW90ZSIgc3R5bGU9Im1hcmdpbjowcHggMHB4IDBweCAwLjhleDtib3JkZXIt
bGVmdDoxcHggc29saWQgcmdiKDIwNCwyMDQsMjA0KTtwYWRkaW5nLWxlZnQ6MWV4Ij5PbiBUdWUs
IDIwMTgtMDctMTAgYXQgMjA6MTcgKzAyMDAsIEp1bGllbiBCbGFpcyB3cm90ZTo8YnI+CiZndDsg
SSBwcmVzZW50IHdoYXQgSSBrbm93IHRoYXQgd29ya3MuwqAgU2luY2UgSSBoYXZlbiYjMzk7dCB0
ZXN0ZWQsIGJ1dCBpZiB5b3Ugc2F5IHNvLDxicj4KJmd0OyBpdCYjMzk7cyB0byBiZSB0ZXN0ZWQu
IDxicj4KPGJyPgpJIHN1cHBvc2Ugc2V0dGluZyByaWdodGF1dGg9eGF1dGggc2hvdWxkIHdvcmsg
Zm9yIElLRXYyIGFzIHdlbGwgYXMgSUtFdjEuPGJyPgo8YnI+CiZndDsgSSB3YXMgZm9yZ2V0dGlu
Zywgb2YgY291cnNlLCB4YXV0aCBuZWVkcyBhIGxvZ2luL3Bhc3N3b3JkIHBhaXIgdG8gZGVjbGFy
ZSBpbjxicj4KJmd0OyBpcHNlYy51c2VyLnNlY3JldC48YnI+Cjxicj4KVGhpcyBraW5kIG9mIHJl
bmRlcnMgdGhlIHBhdGNoIHVzZWxlc3MgdGhlbiBpZiB0aGVyZSBpcyBubyB3YXkgdG8gc2V0IHVz
ZXJuYW1lPGJyPgphbmQgcGFzc3dvcmQuIFRoaXMgY291bGQgYmUgYWRkZWQgdG8gdGhlIGNvbm5l
Y3Rpb24ganVzdCBsaWtlIGVudGVyaW5nIHRoZSBQU0suPGJyPgo8YnI+CkJlc3QsPGJyPgotTWlj
aGFlbDxicj4KPGJyPgomZ3Q7IExlIG1hci4gMTAganVpbC4gMjAxOCDDoCAyMDoxMSwgVG9tIFJ5
bWVzICZsdDs8YSBocmVmPSJtYWlsdG86dHJ5bWVzQHJ5bWVzLmNvbSIgcmVsPSJub3JlZmVycmVy
IiB0YXJnZXQ9Il9ibGFuayI+dHJ5bWVzQHJ5bWVzLmNvbTwvYT4mZ3Q7IGEgw6ljcml0IDo8YnI+
CiZndDsgJmd0OyBJZiBJIG1heSBhc2ssIHdoeSBJS0V2MT8gTW9kZXJuIGlPUyBhbmQgQW5kcm9p
ZCBib3RoIHN1cHBvcnQgSUtFdjIsIDxicj4KJmd0OyAmZ3Q7IGRvbiYjMzk7dCB0aGV5Pzxicj4K
Jmd0OyAmZ3Q7IDxicj4KJmd0OyAmZ3Q7IFRvbTxicj4KJmd0OyAmZ3Q7IDxicj4KJmd0OyAmZ3Q7
IE9uIDA3LzEwLzIwMTggMjowNyBQTSwgSnVsaWVuIEJsYWlzIHdyb3RlOjxicj4KJmd0OyAmZ3Q7
ICZndDsgSGkgTWljaGFlbCw8YnI+CiZndDsgJmd0OyAmZ3Q7IDxicj4KJmd0OyAmZ3Q7ICZndDsg
PGJyPgomZ3Q7ICZndDsgJmd0OyBGb3IgaXQgdG8gd29yaywgeW91IHNpbXBseSBuZWVkIHRvIGdl
bmVyYXRlIGEgUm9hZHdhcnJpb3IgY29ubmVjdGlvbiBwZXIgPGJyPgomZ3Q7ICZndDsgJmd0OyBj
ZXJ0aWZpY2F0ZS4gVGhlbiwgY2hhbmdlIHdoYXQgaXMgcmVkLCBlaXRoZXIgcmVwbGFjZSBjZXJ0
IGJ5IDxicj4KJmd0OyAmZ3Q7ICZndDsgeGF1dGhyc2FzaWdldCBwdXQgaWtldjEgaW5zdGVhZCBv
ZiBpa2V2Mi48YnI+CiZndDsgJmd0OyAmZ3Q7IDxicj4KJmd0OyAmZ3Q7ICZndDsgW3Jvb3RAaXBm
aXJlIH5dIyBjYXQgL3Zhci9pcGZpcmUvdnBuL2NvbmZpZzxicj4KJmd0OyAmZ3Q7ICZndDs8YnI+
CiZndDsgJmd0OyAyLG9uLFhpYW9taSxYaWFvbWksaG9zdCw8d2JyPnhhdXRocnNhc2lnLCxvZmYs
LDxhIGhyZWY9Imh0dHA6Ly8xOTIuMTY4LjEwLjAvMjU1LjI1NS4yNTUuMCwsLDEwLjAiIHJlbD0i
bm9yZWZlcnJlciBub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+MTkyLjE2OC4xMC48d2JyPjAv
MjU1LjI1NS4yNTUuMCwsLDEwLjA8L2E+Ljxicj4KJmd0OyAmZ3Q7IDEwLjAvMjksb2ZmLCwsb2Zm
LDMsMSxhZXMyNTYsPHdicj5zaGEyXzUxMiwxMDI0fDc2OCxhZXMyNTYsc2hhMl88d2JyPjUxMiwx
MDI0fDc2OHxub25lPGJyPgomZ3Q7ICZndDsgLG9uLCwsY2xlYXIsb24gPGJyPgomZ3Q7ICZndDsg
Jmd0OyAmbHQ7PGEgaHJlZj0iaHR0cDovLzE5Mi4xNjguMTAuMC8yNTUuMjU1LjI1NS4wLCwsMTAu
MC4xMC4wLzI5LG9mZiwsLG9mZiwzLDEsYWVzMjU2LHNoYSIgcmVsPSJub3JlZmVycmVyIG5vcmVm
ZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vMTkyLjE2OC4xMC4wLzI1NS4yNTUuPHdicj4y
NTUuMCwsLDEwLjAuMTAuMC8yOSxvZmYsLCw8d2JyPm9mZiwzLDEsYWVzMjU2LHNoYTwvYT48YnI+
CiZndDsgJmd0OyAyXzUxMiwxMDI0JTdDNzY4LGFlczI1NixzaGEyXzx3YnI+NTEyLDEwMjQlN0M3
NjglN0Nub25lLG9uLCwsPHdicj5jbGVhcixvbiZndDssaWtldjEsMTIwLDxicj4KJmd0OyAmZ3Q7
IDMwLG9mZixzdGFydCw5MDA8YnI+CiZndDsgJmd0OyAmZ3Q7IDxicj4KJmd0OyAmZ3Q7ICZndDsg
SGVyZSBpcyB0aGUgcmVzdWx0IGluIHRoZSBmaWxlIDo8YnI+CiZndDsgJmd0OyAmZ3Q7IDxicj4K
Jmd0OyAmZ3Q7ICZndDsgY29ubiBYaWFvbWk8YnI+CiZndDsgJmd0OyAmZ3Q7wqAgwqAgwqAgwqAg
wqAgbGVmdD08YSBocmVmPSJodHRwOi8vdnBuLmpic2t5LmZyIiByZWw9Im5vcmVmZXJyZXIgbm9y
ZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPnZwbi5qYnNreS5mcjwvYT4gJmx0OzxhIGhyZWY9Imh0
dHA6Ly92cG4uamJza3kuZnIiIHJlbD0ibm9yZWZlcnJlciBub3JlZmVycmVyIiB0YXJnZXQ9Il9i
bGFuayI+aHR0cDovL3Zwbi5qYnNreS5mcjwvYT4mZ3Q7PGJyPgomZ3Q7ICZndDsgJmd0O8KgIMKg
IMKgIMKgIMKgIGxlZnRzdWJuZXQ9PGEgaHJlZj0iaHR0cDovLzE5Mi4xNjguMC4wLzI0IiByZWw9
Im5vcmVmZXJyZXIgbm9yZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPjE5Mi4xNjguMC4wLzI0PC9h
PiAmbHQ7PGEgaHJlZj0iaHR0cDovLzE5Mi4xNjguMC4wLzI0IiByZWw9Im5vcmVmZXJyZXIgbm9y
ZWZlcnJlciIgdGFyZ2V0PSJfYmxhbmsiPmh0dHA6Ly8xOTIuMTY4LjAuMC8yNDwvYT4mZ3Q7PGJy
PgomZ3Q7ICZndDsgJmd0O8KgIMKgIMKgIMKgIMKgIGxlZnRmaXJld2FsbD15ZXM8YnI+CiZndDsg
Jmd0OyAmZ3Q7wqAgwqAgwqAgwqAgwqAgbGVmdGhvc3RhY2Nlc3M9eWVzPGJyPgomZ3Q7ICZndDsg
Jmd0O8KgIMKgIMKgIMKgIMKgIHJpZ2h0PSVhbnk8YnI+CiZndDsgJmd0OyAmZ3Q7wqAgwqAgwqAg
wqAgwqAgbGVmdGNlcnQ9L3Zhci9pcGZpcmUvY2VydHMvPHdicj5ob3N0Y2VydC5wZW08YnI+CiZn
dDsgJmd0OyAmZ3Q7wqAgwqAgwqAgwqAgwqAgcmlnaHRjZXJ0PS92YXIvaXBmaXJlL2NlcnRzLzx3
YnI+WGlhb21pY2VydC5wZW08YnI+CiZndDsgJmd0OyAmZ3Q7wqAgwqAgwqAgwqAgwqAgaWtlPWFl
czI1Ni1zaGEyXzUxMi1tb2RwMTAyNCw8d2JyPmFlczI1Ni1zaGEyXzUxMi1tb2RwNzY4ITxicj4K
Jmd0OyAmZ3Q7ICZndDvCoCDCoCDCoCDCoCDCoCA8YnI+CiZndDsgJmd0OyAmZ3Q7IGVzcD1hZXMy
NTYtc2hhMl81MTItbW9kcDEwMjQsPHdicj5hZXMyNTYtc2hhMl81MTItbW9kcDc2OCw8d2JyPmFl
czI1Ni1zaGEyXzUxMiE8YnI+CiZndDsgJmd0OyAmZ3Q7wqAgwqAgwqAgwqAgwqAga2V5ZXhjaGFu
Z2U9aWtldjE8YnI+CiZndDsgJmd0OyAmZ3Q7wqAgwqAgwqAgwqAgwqAgaWtlbGlmZXRpbWU9M2g8
YnI+CiZndDsgJmd0OyAmZ3Q7wqAgwqAgwqAgwqAgwqAga2V5bGlmZT0xaDxicj4KJmd0OyAmZ3Q7
ICZndDvCoCDCoCDCoCDCoCDCoCBkcGRhY3Rpb249Y2xlYXI8YnI+CiZndDsgJmd0OyAmZ3Q7wqAg
wqAgwqAgwqAgwqAgZHBkZGVsYXk9MzA8YnI+CiZndDsgJmd0OyAmZ3Q7wqAgwqAgwqAgwqAgwqAg
ZHBkdGltZW91dD0xMjA8YnI+CiZndDsgJmd0OyAmZ3Q7wqAgwqAgwqAgwqAgwqAgYXV0aGJ5PXhh
dXRocnNhc2lnPGJyPgomZ3Q7ICZndDsgJmd0O8KgIMKgIMKgIMKgIMKgIHhhdXRoPXNlcnZlcjxi
cj4KJmd0OyAmZ3Q7ICZndDvCoCDCoCDCoCDCoCDCoCBhdXRvPWFkZDxicj4KJmd0OyAmZ3Q7ICZn
dDvCoCDCoCDCoCDCoCDCoCByaWdodHNvdXJjZWlwPTxhIGhyZWY9Imh0dHA6Ly8xMC4wLjEwLjAv
MjkiIHJlbD0ibm9yZWZlcnJlciBub3JlZmVycmVyIiB0YXJnZXQ9Il9ibGFuayI+MTAuMC4xMC4w
LzI5PC9hPiAmbHQ7PGEgaHJlZj0iaHR0cDovLzEwLjAuMTAuMC8yOSIgcmVsPSJub3JlZmVycmVy
IG5vcmVmZXJyZXIiIHRhcmdldD0iX2JsYW5rIj5odHRwOi8vMTAuMC4xMC4wLzI5PC9hPiZndDs8
YnI+CiZndDsgJmd0OyAmZ3Q7wqAgwqAgwqAgwqAgwqAgZnJhZ21lbnRhdGlvbj15ZXM8YnI+CiZn
dDsgJmd0OyAmZ3Q7IDxicj4KJmd0OyAmZ3Q7ICZndDsgV2h5IHRoaXMgcGF0Y2g/IGl0IGFsbG93
cyB0byBoYXZlIGEgZnVuY3Rpb25hbCB2aXN1YWwgb24gVlBOIGNvbm5lY3Rpb25zIDxicj4KJmd0
OyAmZ3Q7ICZndDsgaW4gdGhlIHZwbm1haW4uY2dpIHBhZ2UuIEV2ZXJ5dGhpbmcgdGhhdCBpcyBJ
T1Mgb3IgQW5kcm9pZCB3b3JrcyB3aXRoIDxicj4KJmd0OyAmZ3Q7ICZndDsgWGF1dGgsIHlvdSBk
byBub3Qgc3VwcG9ydCB0aGlzIHR5cGUgb2YgZGV2aWNlLjxicj4KJmd0OyAmZ3Q7IDxicj4KJmd0
OyAmZ3Q7IDxicj4KJmd0OyAmZ3Q7IDxicj4KPC9ibG9ja3F1b3RlPjwvZGl2Pgo8L2Rpdj4K

--===============1073801437983485488==--


From matthias.fischer@ipfire.org Sat Jul 14 11:29:01 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: 81.3.27.54 => rDNS => Reverse lookup failed
Date: Sat, 14 Jul 2018 12:29:06 +0200
Message-ID: <4b523cc5-c77a-2ca9-d1c7-1cd64fe1f15f@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4479141821444741650=="

--===============4479141821444741650==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi!

Since both DNS.WATCH-Servers are unavailable since today...

=> https://forum.ipfire.org/viewtopic.php?f=27&t=20253&p=117259#p117259

...I switched to Lightning Wire Labs (81.3.27.54).

'unbound' says that everything is OK, DNSSEC is OK, testing is OK.

But IPFire-GUI tells me that for 'rDNS' "Reverse lookup failed".

Can anyone confirm? Reason?

Best,
Matthias

--===============4479141821444741650==--


From michael.tremer@ipfire.org Sat Jul 14 14:34:39 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: 81.3.27.54 => rDNS => Reverse lookup failed
Date: Sat, 14 Jul 2018 14:34:38 +0100
Message-ID: <547390ae2283fec6cd1bd7ef43bd7e7a946a226d.camel@ipfire.org>
In-Reply-To: <4b523cc5-c77a-2ca9-d1c7-1cd64fe1f15f@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2720504920210367067=="

--===============2720504920210367067==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On Sat, 2018-07-14 at 12:29 +0200, Matthias Fischer wrote:
> Hi!
> 
> Since both DNS.WATCH-Servers are unavailable since today...

LOL

> => https://forum.ipfire.org/viewtopic.php?f=27&t=20253&p=117259#p117259
> 
> ...I switched to Lightning Wire Labs (81.3.27.54).
> 
> 'unbound' says that everything is OK, DNSSEC is OK, testing is OK.
> 
> But IPFire-GUI tells me that for 'rDNS' "Reverse lookup failed".
> 
> Can anyone confirm? Reason?

Yes we don't have Reverse Pointers set up:

  https://bugzilla.ipfire.org/show_bug.cgi?id=11686

Reason? Time :)

Best,
-Michael

> Best,
> Matthias

--===============2720504920210367067==--


From michael.tremer@ipfire.org Sat Jul 14 14:55:21 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] kernel: Enable EFI on aarch64
Date: Sat, 14 Jul 2018 14:55:12 +0100
Message-ID: <20180714135512.1676937-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0038339454174442849=="

--===============0038339454174442849==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 39 +++++++++++++++-------
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kerne=
l.config.aarch64-ipfire
index 7444864f308e..37e1907419ad 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/arm64 4.14.48-ipfire-multi Kernel Configuration
+# Linux/arm64 4.14.50-ipfire Kernel Configuration
 #
 CONFIG_ARM64=3Dy
 CONFIG_64BIT=3Dy
@@ -441,6 +441,7 @@ CONFIG_PCI_ECAM=3Dy
 # CONFIG_PCI_IOV is not set
 # CONFIG_PCI_PRI is not set
 # CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=3Dy
 # CONFIG_HOTPLUG_PCI is not set
=20
 #
@@ -597,7 +598,9 @@ CONFIG_ARM64_MODULE_CMODEL_LARGE=3Dy
 #
 CONFIG_CMDLINE=3D"console=3DttyAM0,115200 root=3D/dev/sda1 rootdelay=3D20"
 # CONFIG_CMDLINE_FORCE is not set
-# CONFIG_EFI is not set
+CONFIG_EFI_STUB=3Dy
+CONFIG_EFI=3Dy
+CONFIG_DMI=3Dy
=20
 #
 # Userspace binary formats
@@ -2403,7 +2406,6 @@ CONFIG_WLAN=3Dy
 # CONFIG_WIRELESS_WDS is not set
 CONFIG_WLAN_VENDOR_ADMTEK=3Dy
 CONFIG_ADM8211=3Dm
-# CONFIG_RTL8189ES is not set
 CONFIG_ATH_COMMON=3Dm
 CONFIG_WLAN_VENDOR_ATH=3Dy
 # CONFIG_ATH_DEBUG is not set
@@ -2614,7 +2616,6 @@ CONFIG_WL18XX=3Dm
 CONFIG_WLCORE=3Dm
 CONFIG_WLCORE_SDIO=3Dm
 CONFIG_WILINK_PLATFORM_DATA=3Dy
-# CONFIG_WLAN_VENDOR_XRADIO is not set
 CONFIG_WLAN_VENDOR_ZYDAS=3Dy
 CONFIG_USB_ZD1201=3Dm
 CONFIG_ZD1211RW=3Dm
@@ -2861,6 +2862,7 @@ CONFIG_LP_CONSOLE=3Dy
 CONFIG_PPDEV=3Dm
 # CONFIG_HVC_DCC is not set
 CONFIG_IPMI_HANDLER=3Dm
+CONFIG_IPMI_DMI_DECODE=3Dy
 # CONFIG_IPMI_PANIC_EVENT is not set
 CONFIG_IPMI_DEVICE_INTERFACE=3Dm
 CONFIG_IPMI_SI=3Dm
@@ -3580,7 +3582,6 @@ CONFIG_REGULATOR_PFUZE100=3Dy
 # CONFIG_REGULATOR_PV88080 is not set
 # CONFIG_REGULATOR_PV88090 is not set
 # CONFIG_REGULATOR_PWM is not set
-CONFIG_REGULATOR_SY8106A=3Dy
 # CONFIG_REGULATOR_TPS51632 is not set
 # CONFIG_REGULATOR_TPS62360 is not set
 # CONFIG_REGULATOR_TPS65023 is not set
@@ -3591,7 +3592,6 @@ CONFIG_REGULATOR_TWL4030=3Dy
 CONFIG_REGULATOR_VEXPRESS=3Dy
 CONFIG_CEC_CORE=3Dm
 CONFIG_CEC_NOTIFIER=3Dy
-CONFIG_CEC_PIN=3Dy
 CONFIG_RC_CORE=3Dm
 CONFIG_RC_MAP=3Dm
 CONFIG_RC_DECODERS=3Dy
@@ -4234,12 +4234,6 @@ CONFIG_DRM_UDL=3Dm
 # CONFIG_DRM_MGAG200 is not set
 # CONFIG_DRM_CIRRUS_QEMU is not set
 CONFIG_DRM_RCAR_DW_HDMI=3Dm
-CONFIG_DRM_SUN4I=3Dm
-CONFIG_DRM_SUN4I_HDMI=3Dm
-CONFIG_DRM_SUN4I_HDMI_CEC=3Dy
-CONFIG_DRM_SUN4I_BACKEND=3Dm
-CONFIG_DRM_SUN8I_DW_HDMI=3Dm
-CONFIG_DRM_SUN8I_MIXER=3Dm
 # CONFIG_DRM_QXL is not set
 # CONFIG_DRM_BOCHS is not set
 CONFIG_DRM_PANEL=3Dy
@@ -4329,6 +4323,7 @@ CONFIG_FB_ARMCLCD=3Dm
 # CONFIG_FB_ASILIANT is not set
 # CONFIG_FB_IMSTT is not set
 # CONFIG_FB_UVESA is not set
+CONFIG_FB_EFI=3Dy
 CONFIG_FB_OPENCORES=3Dm
 # CONFIG_FB_S1D13XXX is not set
 # CONFIG_FB_NVIDIA is not set
@@ -5315,6 +5310,7 @@ CONFIG_RTC_DRV_DS1553=3Dm
 # CONFIG_RTC_DRV_DS1685_FAMILY is not set
 CONFIG_RTC_DRV_DS1742=3Dm
 CONFIG_RTC_DRV_DS2404=3Dm
+# CONFIG_RTC_DRV_EFI is not set
 CONFIG_RTC_DRV_STK17TA8=3Dm
 # CONFIG_RTC_DRV_M48T86 is not set
 CONFIG_RTC_DRV_M48T35=3Dm
@@ -6048,10 +6044,27 @@ CONFIG_ARM_PSCI_FW=3Dy
 # CONFIG_ARM_PSCI_CHECKER is not set
 # CONFIG_ARM_SCPI_PROTOCOL is not set
 # CONFIG_FIRMWARE_MEMMAP is not set
+CONFIG_DMIID=3Dy
+# CONFIG_DMI_SYSFS is not set
 CONFIG_RASPBERRYPI_FIRMWARE=3Dy
 # CONFIG_FW_CFG_SYSFS is not set
 CONFIG_HAVE_ARM_SMCCC=3Dy
 # CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# EFI (Extensible Firmware Interface) Support
+#
+CONFIG_EFI_VARS=3Dy
+CONFIG_EFI_ESRT=3Dy
+CONFIG_EFI_VARS_PSTORE=3Dy
+# CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
+CONFIG_EFI_PARAMS_FROM_FDT=3Dy
+CONFIG_EFI_RUNTIME_WRAPPERS=3Dy
+CONFIG_EFI_ARMSTUB=3Dy
+CONFIG_EFI_BOOTLOADER_CONTROL=3Dm
+# CONFIG_EFI_CAPSULE_LOADER is not set
+# CONFIG_EFI_TEST is not set
+# CONFIG_RESET_ATTACK_MITIGATION is not set
 CONFIG_MESON_SM=3Dy
=20
 #
@@ -6173,6 +6186,7 @@ CONFIG_TMPFS_XATTR=3Dy
 # CONFIG_HUGETLB_PAGE is not set
 CONFIG_ARCH_HAS_GIGANTIC_PAGE=3Dy
 CONFIG_CONFIGFS_FS=3Dm
+CONFIG_EFIVAR_FS=3Dm
 CONFIG_MISC_FILESYSTEMS=3Dy
 # CONFIG_ORANGEFS_FS is not set
 # CONFIG_ADFS_FS is not set
@@ -6790,6 +6804,7 @@ CONFIG_DDR=3Dy
 CONFIG_IRQ_POLL=3Dy
 CONFIG_LIBFDT=3Dy
 CONFIG_OID_REGISTRY=3Dm
+CONFIG_UCS2_STRING=3Dy
 CONFIG_FONT_SUPPORT=3Dy
 # CONFIG_FONTS is not set
 CONFIG_FONT_8x8=3Dy
--=20
2.17.1


--===============0038339454174442849==--


From matthias.fischer@ipfire.org Sat Jul 14 17:27:22 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: 81.3.27.54 => rDNS => Reverse lookup failed
Date: Sat, 14 Jul 2018 18:27:23 +0200
Message-ID: <08bf349d-8d7c-4871-fccf-eb4cd50e5c06@ipfire.org>
In-Reply-To: <547390ae2283fec6cd1bd7ef43bd7e7a946a226d.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7601054472817182501=="

--===============7601054472817182501==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On 14.07.2018 15:34, Michael Tremer wrote:
> On Sat, 2018-07-14 at 12:29 +0200, Matthias Fischer wrote:
>> Hi!
>> 
>> Since both DNS.WATCH-Servers are unavailable since today...
> 
> LOL

Second time this year. *Sigh*

>> => https://forum.ipfire.org/viewtopic.php?f=27&t=20253&p=117259#p117259
>> 
>> ...I switched to Lightning Wire Labs (81.3.27.54).
>> 
>> 'unbound' says that everything is OK, DNSSEC is OK, testing is OK.
>> 
>> But IPFire-GUI tells me that for 'rDNS' "Reverse lookup failed".
>> 
>> Can anyone confirm? Reason?
> 
> Yes we don't have Reverse Pointers set up:
> 
>   https://bugzilla.ipfire.org/show_bug.cgi?id=11686

Ok, I see.

> Reason? Time :)

Time is definitely NOT on our side... :-)

Best,
Matthias

--===============7601054472817182501==--


From peter.mueller@link38.eu Mon Jul 16 16:02:27 2018
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: 81.3.27.54 => rDNS => Reverse lookup failed
Date: Mon, 16 Jul 2018 17:02:16 +0200
Message-ID: <44296f2b-5a59-87d3-75ff-d918c0e0f1e0@link38.eu>
In-Reply-To: <08bf349d-8d7c-4871-fccf-eb4cd50e5c06@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5704511847223160891=="

--===============5704511847223160891==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hello,

does anybody know the status of DNS.WATCH?

Their DNS servers seem to be still down; moreover, I cannot reach
their website because of a DNS error. Looks like the thing is
abandoned. :-(

Best regards,
Peter Müller
-- 
"We don't care.  We don't have to.  We're the Phone Company."


--===============5704511847223160891==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE
SnlyUkxrMlVqeUQzMTduMmdGQWx0TXMzOEFDZ2tRMlVqeUQzMTcKbjJpcy9RLytONUtDemkvQ2o3
OFNEUXdIUUI1VElYeXJyK3Bjc3ZScThGYzN5dUkvL1ZvdEpScWgrall5VHVGcwpjM2p6dHFscS9P
aFBGQ0N3V0QwaE9MdnhRMytkU3pBMm4wcVRLamt0NWJXU2t2b1RXUkhkNWw5U3BQU213UVdiCmVt
anJWSllBRDc4NTk2YStlUU9QbFEwU1Uxc05lZXpabWZ3WVIzTlh0SVVuNElmd3ZNRFk4SWlaV0wz
dFlkdDMKUXNORmxxNkZyNk11U00veEppRStlV2ZuNHpqYWlTZ1BEbWtlSXAyVGd3NGhGUmFITXBP
NlN1ZzVMVXdCL0FPMQppMDdJTHhwb09NWG9oNUF1VVNKZmxNN2EwY3gzcy9uVGUybGVTMkZVVXNF
VURKd01EYWhLbUpkWVc5ODJWMFNtCmppVjV0WXZ5cG1ZSDk3ZVFqZFBTMVg2amJkS3hZTVJEMTI3
QTZlS25MVDlrdFkwdVEyWUpNVnhGcUhCaDZ2MVgKbWxJMGFOUWhQcFhHZm8wcXNBVGtMVEVQcnhN
YnBzbjVEdmJFRDdLQldyMlVUalpJdnc5VzBFYW9hVXlNL3Bobgo3N09NMUs5NmIzMzBiTzMydEMx
Vlp0TzJPaU1CRi9sK3VGbi9DWlAvWGc4ZjBuUU10TEVHbDJURFFLT1JLV3VJCmVCbEEyNCt1blZU
Z2h5NVFrZVo0elJuRXh0RlliSVpxajN1SEh0TkJCaDEreHYxRHFjQmtITk5IYXNaUzg5VEsKd25q
MHFFQmQ3RUNzZ3Fib29TSUEycVB5eGdPSnpQWUk1ZWI5ZFQ4V25ZQmY5Q1h6WktBdTRjNTN3MmR3
MHFCSgpiUXFzZ0IwTzEyOE16aE1oRlFUS1VKVmFyWURlN3pNUklOanZsVjZaMGY1SzhWZTZkeFE9
Cj1Cc1R5Ci0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============5704511847223160891==--


From michael.tremer@ipfire.org Mon Jul 16 17:48:27 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: 81.3.27.54 => rDNS => Reverse lookup failed
Date: Mon, 16 Jul 2018 17:48:26 +0100
Message-ID: <8cfbbb9cfcd08869e2debdb827f76b74739815b6.camel@ipfire.org>
In-Reply-To: <44296f2b-5a59-87d3-75ff-d918c0e0f1e0@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0060214153996964922=="

--===============0060214153996964922==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello,

nobody seems to know anything, so I guess they just closed down silently:

  https://www.reddit.com/r/privacytoolsIO/comments/8yidwv/dnswatch_is_down_ag=
ain/

- -Michael

On Mon, 2018-07-16 at 17:02 +0200, Peter M=C3=BCller wrote:
> Hello,
>=20
> does anybody know the status of DNS.WATCH?
>=20
> Their DNS servers seem to be still down; moreover, I cannot reach
> their website because of a DNS error. Looks like the thing is
> abandoned. :-(
>=20
> Best regards,
> Peter M=C3=BCller
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAltMzFoACgkQgHnw/2+Q
CQciHw/9EmLCzMIjtKhOTN/xxLtC+4ReKXGAEvak1Ym/GU3jJJk8OAHEIk6PeHJn
6IJSYKpU0YtXYc0iufCCMBiscswkL28fipFZZ+mWjBkxNQRiQaj3rt2+xT1E8goY
jJjq6p9Af1XN0qWD+McFz0qRY04GcSZs9USw4twpjR3mv1BsUoO0P3K5J4UwgjNT
0rZauPkaFLU2zkOJqk1LVLznmuLES8ZnX6sW0XEKsf1Z71O40RqDkUsH2q4Lo2oS
H+aqWKagtZqVWEsqfXoNkbYcMZxJtJ7W6YVzoDOyXLlm9MPVf4MF3BZJmhT74h8I
F4wOCSV7S3o1UjfTzmq5nkVbbuYARYDInhjKV51P1BjZBZ/PyqvXTYVm53irfu7u
LOjJUuBrrq9rRb0JQhc7vwdkWpo9qF6btKlvdkLsFjYLUJMWg2mk2shwOmjerEiE
BUVh5OikfB9AFAyYjcUzUzlzzVGFkejodtfSGL8w/P9M7kvhPQJ8TozK8fcTgE2+
jvlxhBCjTchV4zI+mRzG7honRCqWj/4vg7WHKpKZcAphnu8j0Tq8I/31UKuHqSlv
EjTrrb33faLGpgtwQGqXncfxDcBTkJSfKdRqy4Bx535yWObL8GDzUICwqgZbDBaA
KT8CfBpbGNz7CcEsQmsbTqblBOtRQ94v9A0OaBklOh9m7FgSbYQ=3D
=3D+tDY
-----END PGP SIGNATURE-----


--===============0060214153996964922==--


From wolfgang.apolinarski@ipfire.org Tue Jul 17 19:13:42 2018
From: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 0/1] Apache: Update to 2.4.34
Date: Tue, 17 Jul 2018 20:13:29 +0200
Message-ID: <20180717181330.24801-1-wolfgang.apolinarski@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3536383660691380980=="

--===============3536383660691380980==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Apache: Update to 2.4.34

- Small bugfix release, apr and apr-util are still up-to-date.
- Built and tested.

Wolfgang Apolinarski (1):
  Apache: Update to 2.4.34

 lfs/apache2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

-- 
2.13.0


--===============3536383660691380980==--


From wolfgang.apolinarski@ipfire.org Tue Jul 17 19:14:01 2018
From: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/1] Apache: Update to 2.4.34
Date: Tue, 17 Jul 2018 20:13:30 +0200
Message-ID: <20180717181330.24801-2-wolfgang.apolinarski@ipfire.org>
In-Reply-To: <20180717181330.24801-1-wolfgang.apolinarski@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0816612193154214613=="

--===============0816612193154214613==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

---
 lfs/apache2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/apache2 b/lfs/apache2
index 16dd101d7..0e526a575 100644
--- a/lfs/apache2
+++ b/lfs/apache2
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 2.4.33
+VER        = 2.4.34
 
 THISAPP    = httpd-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -45,7 +45,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 6ef469d3f16fffeb688bc6e0346823e5
+$(DL_FILE)_MD5 = 818adca52f3be187fe45d6822755be95
 
 install : $(TARGET)
 
-- 
2.13.0


--===============0816612193154214613==--


From matthias.fischer@ipfire.org Tue Jul 17 19:50:46 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] squid: Update to 3.5.28
Date: Tue, 17 Jul 2018 20:50:41 +0200
Message-ID: <20180717185041.12572-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2810272839191113982=="

--===============2810272839191113982==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

For details see:
http://www.squid-cache.org/Versions/v3/3.5/changesets/

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 lfs/squid                                     |  8 ++----
 src/patches/squid/SQUID-2018_1.patch          | 28 -------------------
 src/patches/squid/SQUID-2018_2.patch          | 23 ---------------
 ...uid-3.5.28-fix-max-file-descriptors.patch} |  0
 4 files changed, 3 insertions(+), 56 deletions(-)
 delete mode 100644 src/patches/squid/SQUID-2018_1.patch
 delete mode 100644 src/patches/squid/SQUID-2018_2.patch
 rename src/patches/squid/{squid-3.5.27-fix-max-file-descriptors.patch =3D> s=
quid-3.5.28-fix-max-file-descriptors.patch} (100%)

diff --git a/lfs/squid b/lfs/squid
index f93097019..cae56407c 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -24,7 +24,7 @@
=20
 include Config
=20
-VER        =3D 3.5.27
+VER        =3D 3.5.28
=20
 THISAPP    =3D squid-$(VER)
 DL_FILE    =3D $(THISAPP).tar.xz
@@ -42,7 +42,7 @@ objects =3D $(DL_FILE)
=20
 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
=20
-$(DL_FILE)_MD5 =3D 39ef8199675d48a314b540f92c00c545
+$(DL_FILE)_MD5 =3D 9367e0375ea53ba0e99f77054d4402c5
=20
 install : $(TARGET)
=20
@@ -72,9 +72,7 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/SQUID-2018_1.pa=
tch
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/SQUID-2018_2.pa=
tch
-	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.27-fi=
x-max-file-descriptors.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fi=
x-max-file-descriptors.patch
=20
 	cd $(DIR_APP) && autoreconf -vfi
 	cd $(DIR_APP)/libltdl && autoreconf -vfi
diff --git a/src/patches/squid/SQUID-2018_1.patch b/src/patches/squid/SQUID-2=
018_1.patch
deleted file mode 100644
index 9392219a9..000000000
--- a/src/patches/squid/SQUID-2018_1.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-commit eb2db98a676321b814fc4a51c4fb7928a8bb45d9 (refs/remotes/origin/v3.5)
-Author: Amos Jeffries <yadij(a)users.noreply.github.com>
-Date:   2018-01-19 13:54:14 +1300
-
-    ESI: make sure endofName never exceeds tagEnd (#130)
-
-diff --git a/src/esi/CustomParser.cc b/src/esi/CustomParser.cc
-index d86d2d3..db634d9 100644
---- a/src/esi/CustomParser.cc
-+++ b/src/esi/CustomParser.cc
-@@ -121,7 +121,7 @@ ESICustomParser::parse(char const *dataToParse, size_t c=
onst lengthOfData, bool
-=20
-             char * endofName =3D strpbrk(const_cast<char *>(tag), w_space);
-=20
--            if (endofName > tagEnd)
-+            if (!endofName || endofName > tagEnd)
-                 endofName =3D const_cast<char *>(tagEnd);
-=20
-             *endofName =3D '\0';
-@@ -214,7 +214,7 @@ ESICustomParser::parse(char const *dataToParse, size_t c=
onst lengthOfData, bool
-=20
-             char * endofName =3D strpbrk(const_cast<char *>(tag), w_space);
-=20
--            if (endofName > tagEnd)
-+            if (!endofName || endofName > tagEnd)
-                 endofName =3D const_cast<char *>(tagEnd);
-=20
-             *endofName =3D '\0';
diff --git a/src/patches/squid/SQUID-2018_2.patch b/src/patches/squid/SQUID-2=
018_2.patch
deleted file mode 100644
index 9ecd8a5b7..000000000
--- a/src/patches/squid/SQUID-2018_2.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-commit 8232b83d3fa47a1399f155cb829db829369fbae9 (refs/remotes/origin/v3.5)
-Author: squidadm <squidadm(a)users.noreply.github.com>
-Date:   2018-01-21 08:07:08 +1300
-
-    Fix indirect IP logging for transactions without a client connection (#1=
29) (#136)
-
-diff --git a/src/client_side_request.cc b/src/client_side_request.cc
-index be124f3..203f89d 100644
---- a/src/client_side_request.cc
-+++ b/src/client_side_request.cc
-@@ -488,9 +488,9 @@ clientFollowXForwardedForCheck(allow_t answer, void *dat=
a)
-         * Ensure that the access log shows the indirect client
-         * instead of the direct client.
-         */
--        ConnStateData *conn =3D http->getConn();
--        conn->log_addr =3D request->indirect_client_addr;
--        http->al->cache.caddr =3D conn->log_addr;
-+        http->al->cache.caddr =3D request->indirect_client_addr;
-+        if (ConnStateData *conn =3D http->getConn())
-+            conn->log_addr =3D request->indirect_client_addr;
-     }
-     request->x_forwarded_for_iterator.clean();
-     request->flags.done_follow_x_forwarded_for =3D true;
diff --git a/src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch b/=
src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch
similarity index 100%
rename from src/patches/squid/squid-3.5.27-fix-max-file-descriptors.patch
rename to src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch
--=20
2.18.0


--===============2810272839191113982==--


From michael.tremer@ipfire.org Wed Jul 18 11:28:22 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: EFI
Date: Wed, 18 Jul 2018 11:28:20 +0100
Message-ID: <441a3a5cf3f791779d7a6a85016b6a1869709965.camel@ipfire.org>
In-Reply-To: <805e82694faee6fa5fda67944b239c3a93b293d9.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5225701022698227484=="

--===============5225701022698227484==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

images are back again:

  https://nightly.ipfire.org/efi/2018-07-16%2022:35:21%20+0100-3deac294/x86_6=
4/

-Michael

On Tue, 2018-06-19 at 11:26 +0100, Michael Tremer wrote:
> Hello guys,
>=20
> images for testing are from now on available here:
>=20
>   https://nightly.ipfire.org/efi/
>=20
> Best,
> -Michael
>=20
> On Mon, 2018-06-18 at 16:04 +0100, Michael Tremer wrote:
> > Hello,
> >=20
> > it is finally time to think about EFI. That's the new kind of BIOS.
> >=20
> > In the past we have been ignoring this since the community did not want to
> > fund
> > any work in this area and there was enough hardware out there that booted=
 up
> > fine without support for EFI.
> >=20
> > Now this has changed, since Hannes told me that there is going to be more
> > and
> > more boards without a CSM and we are going to port IPFire to ARM64 soon
> > which
> > doesn't have a classic BIOS at all.
> >=20
> > For ARM64, I might even want to push for EFI-only, but Arne disagrees :P
> >=20
> > So what has happened so far?
> >=20
> > I have created a new branch "efi":
> >=20
> >   https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dshortlog;h=3Drefs/heads/=
efi
> >=20
> > This branch collects all the changes to the bootloader, the scripts that
> > author
> > the images and the installer. Please review and send your comments.
> >=20
> > The build creates two things in the end:
> >=20
> > An ISO image that is bootable in EFI mode. It will install the system for
> > EFI
> > whether the system supports EFI or not. That will allow us to move a
> > harddisk
> > from one machine to another one. Opposed to the flash image, the installer
> > will
> > try to create a boot entry in the EFI BIOS.
> >=20
> > The flash image will also boot in EFI mode or normal BIOS mode, depending=
 on
> > the
> > system and leave the system configuration untouched.
> >=20
> > Since EFI is a tricky standard and other distributions had loads of troub=
le
> > with
> > it in the past, we need loads of people to test these images on their
> > hardware.
> > I hope that we will be able to sort out any boot issues as soon as possib=
le
> > with
> > this method.
> >=20
> > Existing installations will not be migrated.
> >=20
> > We will support EFI only for x86_64 and aarch64. There is only a few syst=
ems
> > out
> > there that are 32 bit and support EFI. Those are usually not a good choice
> > for
> > running IPFire.
> >=20
> > Since I have no images ready right now, there is only code to review. I w=
ill
> > upload images as soon as possible so that you guys can help testing witho=
ut
> > compiling them yourself.
> >=20
> > Best,
> > -Michael

--===============5225701022698227484==--


From peter.mueller@link38.eu Thu Jul 19 18:35:35 2018
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject:
 DNS.WATCH up again (was: Re: 81.3.27.54 => rDNS => Reverse lookup failed)
Date: Thu, 19 Jul 2018 19:35:21 +0200
Message-ID: <a62076b0-e6e7-7659-6d89-9da5a0a61425@link38.eu>
In-Reply-To: <8cfbbb9cfcd08869e2debdb827f76b74739815b6.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6089182203917981155=="

--===============6089182203917981155==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hello,

looks like both DNS servers and website are up again.

Best regards,
Peter Müller
-- 
"We don't care.  We don't have to.  We're the Phone Company."


--===============6089182203917981155==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUVCQ2dBZEZpRUV2UDRTaUdoRVlE
SnlyUkxrMlVqeUQzMTduMmdGQWx0UXkrQUFDZ2tRMlVqeUQzMTcKbjJoRzd3LytORXc1NU1XbXNS
ek4vbnEzQ0FUNnIycGVsWTRNYm9vaXAxRkpKc21FTjY1WC9mcmd4TTJRdFNnTwptNjdhdGE3dHkv
Q2xIYjRUU1JnbVBrUm1BdGJIQXdCeHY5eWQ1Wnp6Y1NoVlJtQTNEZDJrd3FKWnA1cXpBYzMzClFN
RTBWenAxbmpWNVR6YklQdkVCNWlaMkRPdFZXVVNLZk1DRkw5ckFjM3FXbmV1RXFnWFkrTzJFSCtN
R1hrREQKdTdkNm5CenZrMTgxVGw5UEVlU2NrOWRCWGpHaWJtU3BkaDV0VUVWU2pCMWRJdTJFdWpv
V2Q2dGwxQmRjbVdXQgpxTmFQdi8vQkN2WVNkQkpDSHcvWWJmRTQxcHlhUnZVZm5SejNLUUxoT3lz
OFVrdUVTT1ZPQU5nK2c3NGdjN0NPCkNGdFlVNGdzR0ZNMUlDdkp1UWkzVm9VZC9JeHVqNXJtTDNt
RWdZb1FHWWRWYzZldkg2ck55eXRZVkVkSllVamMKcTMrRXI2YlNIK1JiZGNwd0l4ME02MElUSUlt
b3p1YU0zVWhqczZ5RkxyQmZ4UnQveEsxajFldjVTRkVyWTlqdApwdVNPQTNqaGVMY2hoTHk3d2Fl
UmJBcEdvUHl0S0lFRVVXV0RWY0hEVisyRVhUMGFqZ0xrYWwvV1J3eGtsbmdDCkg3aWZPMldPdEVJ
Tjd0N1JRUHJKN0lpam5yNlBPMEV1eTV3ZEo2UE5zTXBxQWhVQzdaMWFNeGsxUnpGcS9WL1UKU0dG
ZUtyZnk1OUtxbG5DM0R5bWt0MVFkWVowdEI2UGdGZDEzWUtNN0NZYVVNZitNRGhVMHA3TFRLdGYv
T0NaSQp0RmVMVVpjdzE1NWcvd3c4SUxYTGYwcUQyMElCRm9mS0R0VC96RnY1V3lRVHM0N1ZDcHM9
Cj01bzJzCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============6089182203917981155==--


From michael.tremer@ipfire.org Fri Jul 20 16:35:07 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: DNS.WATCH up again (was: Re: 81.3.27.54 => rDNS => Reverse lookup failed)
Date: Fri, 20 Jul 2018 16:35:06 +0100
Message-ID: <c2c1861f7c9703a378e0904a0f9441364031a3fd.camel@ipfire.org>
In-Reply-To: <a62076b0-e6e7-7659-6d89-9da5a0a61425@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4127237218133625659=="

--===============4127237218133625659==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

I have seen that you have re-added them on the wiki, too.

Is this a trustworthy DNS provider?

-Michael

On Thu, 2018-07-19 at 19:35 +0200, Peter Müller wrote:
> Hello,
> 
> looks like both DNS servers and website are up again.
> 
> Best regards,
> Peter Müller

--===============4127237218133625659==--


From matthias.fischer@ipfire.org Fri Jul 20 19:09:17 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: DNS.WATCH up again
Date: Fri, 20 Jul 2018 20:09:18 +0200
Message-ID: <05d64da0-b139-493d-366a-2d7efa8f9ca9@ipfire.org>
In-Reply-To: <c2c1861f7c9703a378e0904a0f9441364031a3fd.camel@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2704496577438108935=="

--===============2704496577438108935==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On 20.07.2018 17:35, Michael Tremer wrote:
> I have seen that you have re-added them on the wiki, too.
>=20
> Is this a trustworthy DNS provider?

Jm2C:
They failed on Februar, 4th for about two days and now again -
even longer - without any comment.

Besides, I found some intersting comments during searching here:
https://forum.kuketz-blog.de/viewtopic.php?f=3D32&t=3D187 (german)

The code mentioned there ist still present on their site:

...
<!-- Ideal-Hosting Analytics -->
    <script type=3D"text/javascript">
      var _paq =3D _paq || [];
      _paq.push(['trackPageView']);
      _paq.push(['enableLinkTracking']);
      (function() {
        var u=3D(("https:" =3D=3D document.location.protocol) ? "https" : "ht=
tp") + "://analytics.ihgip.net/";
        _paq.push(['setTrackerUrl', u+'piwik.php']);
        _paq.push(['setSiteId', 38]);
        var d=3Ddocument, g=3Dd.createElement('script'), s=3Dd.getElementsByT=
agName('script')[0]; g.type=3D'text/javascript';
        g.defer=3Dtrue; g.async=3Dtrue; g.src=3Du+'piwik.js'; s.parentNode.in=
sertBefore(g,s);
      })();
    </script>
    <noscript><p><img src=3D"http://analytics.ihgip.net/piwik.php?idsite=3D38=
" style=3D"border:0;" alt=3D"" /></p></noscript>
    <!-- End Ideal-Hosting Analytics -->
...

IMHO we should delete this entry.

Best,
Matthias

> -Michael
>=20
> On Thu, 2018-07-19 at 19:35 +0200, Peter M=C3=BCller wrote:
>> Hello,
>>=20
>> looks like both DNS servers and website are up again.
>>=20
>> Best regards,
>> Peter M=C3=BCller
>=20


--===============2704496577438108935==--


From michael.tremer@ipfire.org Sat Jul 21 12:17:18 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: DNS.WATCH up again
Date: Sat, 21 Jul 2018 12:17:17 +0100
Message-ID: <bbbc2323b1b0078b3994ddaf8662cdb4b25a4465.camel@ipfire.org>
In-Reply-To: <05d64da0-b139-493d-366a-2d7efa8f9ca9@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8739916339499018405=="

--===============8739916339499018405==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Yes, I agree. We should remove them from the list.

Not because of that bit of JS there (which is funny in itself), but basically
because they are unreliable and nobody knows who is behind it and how to get =
in
touch with them. At least that is my perception of all of this.

And it is not that there are no alternatives. There are plenty and people sho=
uld
choose from there.

Best,
-Michael

On Fri, 2018-07-20 at 20:09 +0200, Matthias Fischer wrote:
> Hi,
>=20
> On 20.07.2018 17:35, Michael Tremer wrote:
> > I have seen that you have re-added them on the wiki, too.
> >=20
> > Is this a trustworthy DNS provider?
>=20
> Jm2C:
> They failed on Februar, 4th for about two days and now again -
> even longer - without any comment.
>=20
> Besides, I found some intersting comments during searching here:
> https://forum.kuketz-blog.de/viewtopic.php?f=3D32&t=3D187 (german)
>=20
> The code mentioned there ist still present on their site:
>=20
> ...
> <!-- Ideal-Hosting Analytics -->
>     <script type=3D"text/javascript">
>       var _paq =3D _paq || [];
>       _paq.push(['trackPageView']);
>       _paq.push(['enableLinkTracking']);
>       (function() {
>         var u=3D(("https:" =3D=3D document.location.protocol) ? "https" : "=
http") +
> "://analytics.ihgip.net/";
>         _paq.push(['setTrackerUrl', u+'piwik.php']);
>         _paq.push(['setSiteId', 38]);
>         var d=3Ddocument, g=3Dd.createElement('script'),
> s=3Dd.getElementsByTagName('script')[0]; g.type=3D'text/javascript';
>         g.defer=3Dtrue; g.async=3Dtrue; g.src=3Du+'piwik.js';
> s.parentNode.insertBefore(g,s);
>       })();
>     </script>
>     <noscript><p><img src=3D"http://analytics.ihgip.net/piwik.php?idsite=3D=
38"
> style=3D"border:0;" alt=3D"" /></p></noscript>
>     <!-- End Ideal-Hosting Analytics -->
> ...
>=20
> IMHO we should delete this entry.
>=20
> Best,
> Matthias
>=20
> > -Michael
> >=20
> > On Thu, 2018-07-19 at 19:35 +0200, Peter M=C3=BCller wrote:
> > > Hello,
> > >=20
> > > looks like both DNS servers and website are up again.
> > >=20
> > > Best regards,
> > > Peter M=C3=BCller
>=20
>=20

--===============8739916339499018405==--


From matthias.fischer@ipfire.org Sat Jul 21 19:18:20 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] bind: Update to 9.11.3
Date: Sat, 21 Jul 2018 20:18:15 +0200
Message-ID: <20180721181815.1692-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0012057309959803605=="

--===============0012057309959803605==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

For details see:
http://ftp.isc.org/isc/bind9/9.11.4/RELEASE-NOTES-bind-9.11.4.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 lfs/bind | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/bind b/lfs/bind
index 35f76443e..7a14a245a 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 9.11.3
+VER        = 9.11.4
 
 THISAPP    = bind-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 4ed2a3f235595eadbd763b7ecb687ca0
+$(DL_FILE)_MD5 = 9b4834d78f30cdb796ce437262272a36
 
 install : $(TARGET)
 
-- 
2.18.0


--===============0012057309959803605==--


From matthias.fischer@ipfire.org Sat Jul 21 21:00:03 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] bind: Update to 9.11.3
Date: Sat, 21 Jul 2018 22:00:03 +0200
Message-ID: <e2983df7-71d4-f2dd-5e11-044169dbd0a5@ipfire.org>
In-Reply-To: <20180721181815.1692-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8451582821104932785=="

--===============8451582821104932785==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi,

Sorry, typo! This should read "[PATCH] bind: Update to 9.11.*4*"

Shall I send it again?

Best,
Matthias

On 21.07.2018 20:18, Matthias Fischer wrote:
> For details see:
> http://ftp.isc.org/isc/bind9/9.11.4/RELEASE-NOTES-bind-9.11.4.html
> 
> Best,
> Matthias
> 
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
>  lfs/bind | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lfs/bind b/lfs/bind
> index 35f76443e..7a14a245a 100644
> --- a/lfs/bind
> +++ b/lfs/bind
> @@ -25,7 +25,7 @@
>  
>  include Config
>  
> -VER        = 9.11.3
> +VER        = 9.11.4
>  
>  THISAPP    = bind-$(VER)
>  DL_FILE    = $(THISAPP).tar.gz
> @@ -43,7 +43,7 @@ objects = $(DL_FILE)
>  
>  $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
>  
> -$(DL_FILE)_MD5 = 4ed2a3f235595eadbd763b7ecb687ca0
> +$(DL_FILE)_MD5 = 9b4834d78f30cdb796ce437262272a36
>  
>  install : $(TARGET)
>  
> 


--===============8451582821104932785==--


From matthias.fischer@ipfire.org Sun Jul 22 15:52:46 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: patchwork.ipfire.org => Internal Server Error
Date: Sun, 22 Jul 2018 16:52:51 +0200
Message-ID: <85ea930a-161f-f4eb-88ee-733c2acded47@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7614306169462412025=="

--===============7614306169462412025==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi,

FYI:

https://patchwork.ipfire.org/project/ipfire/list/ ends with

"Internal Server Error

The server encountered an internal error or misconfiguration and was
unable to complete your request."

Too hot to handle the requests... ;-)

Best,
Matthias

--===============7614306169462412025==--


From matthias.fischer@ipfire.org Sun Jul 22 16:11:58 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] bind: Update to 9.11.4
Date: Sun, 22 Jul 2018 17:11:53 +0200
Message-ID: <20180722151153.2106-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8965017742228723923=="

--===============8965017742228723923==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

For details see:
http://ftp.isc.org/isc/bind9/9.11.4/RELEASE-NOTES-bind-9.11.4.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 lfs/bind | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/bind b/lfs/bind
index 35f76443e..7a14a245a 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 9.11.3
+VER        = 9.11.4
 
 THISAPP    = bind-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 4ed2a3f235595eadbd763b7ecb687ca0
+$(DL_FILE)_MD5 = 9b4834d78f30cdb796ce437262272a36
 
 install : $(TARGET)
 
-- 
2.18.0


--===============8965017742228723923==--


From noloader@gmail.com Sun Jul 22 16:40:23 2018
From: Jeffrey Walton <noloader@gmail.com>
To: development@lists.ipfire.org
Subject: IP traffic being dropped rather than forwarded
Date: Sun, 22 Jul 2018 11:40:20 -0400
Message-ID:
 <CAH8yC8mYn_+9TriHg6AQS0K2Rs1gvA4k26a=ifkR+FY0GkPatA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1573164729255433323=="

--===============1573164729255433323==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Everyone,

My apologies if this is the wrong list. I did not see a Users list at
https://lists.ipfire.org/mailman/listinfo . Please let me know a
better list if one is available.

I'm following https://wiki.ipfire.org/configuration/firewall/rules/port-forwa=
rding.
I've setup a port forwarding rule to send inbound TCP|UDP/1522 traffic
to an internal host/22 (i.e., forward to SSH). See
https://postimg.cc/image/ubpzpkaaf/ .

Inspecting the Firewall Log shows the traffic is being DROP_INPUT. See
https://s15.postimg.cc/sl6ynm2wr/Firewall-2.png .

I don't understand two items. First, why is this listed under Outgoing
Firewall Rules? This is something to handle incoming traffic, not
outgoing traffic.

Second, the "Destination" and the "Firewall: 22" part. I'm pretty sure
I configured <any>:1522 to forward to <internal host>:22.

How does one forward  <incoming>:1522 to <host>:22? What am I doing
wrong? Is there an easier way to do this?

--===============1573164729255433323==--


From fkienker@at4b.com Mon Jul 23 18:39:38 2018
From: "Kienker, Fred" <fkienker@at4b.com>
To: development@lists.ipfire.org
Subject: Core 122
Date: Mon, 23 Jul 2018 13:39:32 -0400
Message-ID: <H000006e00422959.1532367572.mail.at4b.net@MHS>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4495074043166286144=="

--===============4495074043166286144==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Core 122 has been in the testing phase for almost a month now. Is there
anything outsiders can do to help accelerate the release?

 

Things we have tried on Core 122 with success:

*  Updating copies of existing systems including those with VPN’s
*  Installing from scratch on bare metal machines
*  Transferring settings backups from existing machines to bare metal
   setups

 

No surprises with any of these. Machines were left running with the
various test setups for up to a week with no issues. All showed
significant performance boosts with the new kernel.

 

One thing we have noticed – to get the maximum benefit does require a
bare metal install and a restore from backup.

Best regards, 

Fred Kienker

 





--===============4495074043166286144==
Content-Type: text/html
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.html"
MIME-Version: 1.0

PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy
bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt
YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj
cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv
VFIvUkVDLWh0bWw0MCI+PGhlYWQ+PG1ldGEgbmFtZT1HZW5lcmF0b3IgY29udGVudD0iTWljcm9z
b2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPjxzdHlsZT48IS0tCi8qIEZvbnQgRGVmaW5p
dGlvbnMgKi8KQGZvbnQtZmFjZQoJe2ZvbnQtZmFtaWx5OldpbmdkaW5nczsKCXBhbm9zZS0xOjUg
MCAwIDAgMCAwIDAgMCAwIDA7fQpAZm9udC1mYWNlCgl7Zm9udC1mYW1pbHk6IkNhbWJyaWEgTWF0
aCI7CglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMgMiA0O30KQGZvbnQtZmFjZQoJe2ZvbnQtZmFt
aWx5OkNhbGlicmk7CglwYW5vc2UtMToyIDE1IDUgMiAyIDIgNCAzIDIgNDt9Ci8qIFN0eWxlIERl
ZmluaXRpb25zICovCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWwsIGRpdi5Nc29Ob3JtYWwKCXtt
YXJnaW46MGluOwoJbWFyZ2luLWJvdHRvbTouMDAwMXB0OwoJZm9udC1zaXplOjExLjBwdDsKCWZv
bnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30KYTpsaW5rLCBzcGFuLk1zb0h5cGVybGlu
awoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsKCWNvbG9yOiMwNTYzQzE7Cgl0ZXh0LWRlY29yYXRp
b246dW5kZXJsaW5lO30KYTp2aXNpdGVkLCBzcGFuLk1zb0h5cGVybGlua0ZvbGxvd2VkCgl7bXNv
LXN0eWxlLXByaW9yaXR5Ojk5OwoJY29sb3I6Izk1NEY3MjsKCXRleHQtZGVjb3JhdGlvbjp1bmRl
cmxpbmU7fQpwLk1zb0xpc3RQYXJhZ3JhcGgsIGxpLk1zb0xpc3RQYXJhZ3JhcGgsIGRpdi5Nc29M
aXN0UGFyYWdyYXBoCgl7bXNvLXN0eWxlLXByaW9yaXR5OjM0OwoJbWFyZ2luLXRvcDowaW47Cglt
YXJnaW4tcmlnaHQ6MGluOwoJbWFyZ2luLWJvdHRvbTowaW47CgltYXJnaW4tbGVmdDouNWluOwoJ
bWFyZ2luLWJvdHRvbTouMDAwMXB0OwoJZm9udC1zaXplOjExLjBwdDsKCWZvbnQtZmFtaWx5OiJD
YWxpYnJpIixzYW5zLXNlcmlmO30Kc3Bhbi5FbWFpbFN0eWxlMTcKCXttc28tc3R5bGUtdHlwZTpw
ZXJzb25hbC1jb21wb3NlOwoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7Cgljb2xv
cjp3aW5kb3d0ZXh0O30KLk1zb0NocERlZmF1bHQKCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25s
eTsKCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30KQHBhZ2UgV29yZFNlY3Rpb24x
Cgl7c2l6ZTo4LjVpbiAxMS4waW47CgltYXJnaW46MS4waW4gMS4waW4gMS4waW4gMS4waW47fQpk
aXYuV29yZFNlY3Rpb24xCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQovKiBMaXN0IERlZmluaXRpb25z
ICovCkBsaXN0IGwwCgl7bXNvLWxpc3QtaWQ6ODQxNTA3NzY4OwoJbXNvLWxpc3QtdHlwZTpoeWJy
aWQ7Cgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6LTE2MDAyMzI5MDIgLTE1OTk3MDI0OTAgNjc2OTg2
OTEgNjc2OTg2OTMgNjc2OTg2ODkgNjc2OTg2OTEgNjc2OTg2OTMgNjc2OTg2ODkgNjc2OTg2OTEg
Njc2OTg2OTM7fQpAbGlzdCBsMDpsZXZlbDEKCXttc28tbGV2ZWwtc3RhcnQtYXQ6MDsKCW1zby1s
ZXZlbC1udW1iZXItZm9ybWF0OmJ1bGxldDsKCW1zby1sZXZlbC10ZXh0OlxGMEI3OwoJbXNvLWxl
dmVsLXRhYi1zdG9wOm5vbmU7Cgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7Cgl0ZXh0
LWluZGVudDotLjI1aW47Cglmb250LWZhbWlseTpTeW1ib2w7Cgltc28tZmFyZWFzdC1mb250LWZh
bWlseTpDYWxpYnJpOwoJbXNvLWJpZGktZm9udC1mYW1pbHk6IlRpbWVzIE5ldyBSb21hbiI7fQpA
bGlzdCBsMDpsZXZlbDIKCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7Cgltc28tbGV2
ZWwtdGV4dDpvOwoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7Cgltc28tbGV2ZWwtbnVtYmVyLXBv
c2l0aW9uOmxlZnQ7Cgl0ZXh0LWluZGVudDotLjI1aW47Cglmb250LWZhbWlseToiQ291cmllciBO
ZXciO30KQGxpc3QgbDA6bGV2ZWwzCgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0OwoJ
bXNvLWxldmVsLXRleHQ6XEYwQTc7Cgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsKCW1zby1sZXZl
bC1udW1iZXItcG9zaXRpb246bGVmdDsKCXRleHQtaW5kZW50Oi0uMjVpbjsKCWZvbnQtZmFtaWx5
OldpbmdkaW5nczt9CkBsaXN0IGwwOmxldmVsNAoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmJ1
bGxldDsKCW1zby1sZXZlbC10ZXh0OlxGMEI3OwoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7Cglt
c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7Cgl0ZXh0LWluZGVudDotLjI1aW47Cglmb250
LWZhbWlseTpTeW1ib2w7fQpAbGlzdCBsMDpsZXZlbDUKCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1h
dDpidWxsZXQ7Cgltc28tbGV2ZWwtdGV4dDpvOwoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7Cglt
c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7Cgl0ZXh0LWluZGVudDotLjI1aW47Cglmb250
LWZhbWlseToiQ291cmllciBOZXciO30KQGxpc3QgbDA6bGV2ZWw2Cgl7bXNvLWxldmVsLW51bWJl
ci1mb3JtYXQ6YnVsbGV0OwoJbXNvLWxldmVsLXRleHQ6XEYwQTc7Cgltc28tbGV2ZWwtdGFiLXN0
b3A6bm9uZTsKCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsKCXRleHQtaW5kZW50Oi0u
MjVpbjsKCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9CkBsaXN0IGwwOmxldmVsNwoJe21zby1sZXZl
bC1udW1iZXItZm9ybWF0OmJ1bGxldDsKCW1zby1sZXZlbC10ZXh0OlxGMEI3OwoJbXNvLWxldmVs
LXRhYi1zdG9wOm5vbmU7Cgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7Cgl0ZXh0LWlu
ZGVudDotLjI1aW47Cglmb250LWZhbWlseTpTeW1ib2w7fQpAbGlzdCBsMDpsZXZlbDgKCXttc28t
bGV2ZWwtbnVtYmVyLWZvcm1hdDpidWxsZXQ7Cgltc28tbGV2ZWwtdGV4dDpvOwoJbXNvLWxldmVs
LXRhYi1zdG9wOm5vbmU7Cgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOmxlZnQ7Cgl0ZXh0LWlu
ZGVudDotLjI1aW47Cglmb250LWZhbWlseToiQ291cmllciBOZXciO30KQGxpc3QgbDA6bGV2ZWw5
Cgl7bXNvLWxldmVsLW51bWJlci1mb3JtYXQ6YnVsbGV0OwoJbXNvLWxldmVsLXRleHQ6XEYwQTc7
Cgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsKCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm
dDsKCXRleHQtaW5kZW50Oi0uMjVpbjsKCWZvbnQtZmFtaWx5OldpbmdkaW5nczt9Cm9sCgl7bWFy
Z2luLWJvdHRvbTowaW47fQp1bAoJe21hcmdpbi1ib3R0b206MGluO30KLS0+PC9zdHlsZT48IS0t
W2lmIGd0ZSBtc28gOV0+PHhtbD4KPG86c2hhcGVkZWZhdWx0cyB2OmV4dD0iZWRpdCIgc3BpZG1h
eD0iMTAyNiIgLz4KPC94bWw+PCFbZW5kaWZdLS0+PCEtLVtpZiBndGUgbXNvIDldPjx4bWw+Cjxv
OnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4KPG86aWRtYXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEi
IC8+CjwvbzpzaGFwZWxheW91dD48L3htbD48IVtlbmRpZl0tLT48L2hlYWQ+PGJvZHkgbGFuZz1F
Ti1VUyBsaW5rPSIjMDU2M0MxIiB2bGluaz0iIzk1NEY3MiI+PGRpdiBjbGFzcz1Xb3JkU2VjdGlv
bjE+PHAgY2xhc3M9TXNvTm9ybWFsPkNvcmUgMTIyIGhhcyBiZWVuIGluIHRoZSB0ZXN0aW5nIHBo
YXNlIGZvciBhbG1vc3QgYSBtb250aCBub3cuIElzIHRoZXJlIGFueXRoaW5nIG91dHNpZGVycyBj
YW4gZG8gdG8gaGVscCBhY2NlbGVyYXRlIHRoZSByZWxlYXNlPzxvOnA+PC9vOnA+Cgo8L3A+PHAg
Y2xhc3M9TXNvTm9ybWFsPjxvOnA+Jm5ic3A7PC9vOnA+Cgo8L3A+PHAgY2xhc3M9TXNvTm9ybWFs
PlRoaW5ncyB3ZSBoYXZlIHRyaWVkIG9uIENvcmUgMTIyIHdpdGggc3VjY2Vzczo8bzpwPjwvbzpw
PgoKPC9wPjx1bCBzdHlsZT0nbWFyZ2luLXRvcDowaW4nIHR5cGU9ZGlzYz48bGkgY2xhc3M9TXNv
TGlzdFBhcmFncmFwaCBzdHlsZT0nbWFyZ2luLWxlZnQ6MGluO21zby1saXN0OmwwIGxldmVsMSBs
Zm8xJz5VcGRhdGluZyBjb3BpZXMgb2YgZXhpc3Rpbmcgc3lzdGVtcyBpbmNsdWRpbmcgdGhvc2Ug
d2l0aCBWUE4mIzgyMTc7czxvOnA+PC9vOnA+CjwvbGk+PGxpIGNsYXNzPU1zb0xpc3RQYXJhZ3Jh
cGggc3R5bGU9J21hcmdpbi1sZWZ0OjBpbjttc28tbGlzdDpsMCBsZXZlbDEgbGZvMSc+SW5zdGFs
bGluZyBmcm9tIHNjcmF0Y2ggb24gYmFyZSBtZXRhbCBtYWNoaW5lczxvOnA+PC9vOnA+CjwvbGk+
PGxpIGNsYXNzPU1zb0xpc3RQYXJhZ3JhcGggc3R5bGU9J21hcmdpbi1sZWZ0OjBpbjttc28tbGlz
dDpsMCBsZXZlbDEgbGZvMSc+VHJhbnNmZXJyaW5nIHNldHRpbmdzIGJhY2t1cHMgZnJvbSBleGlz
dGluZyBtYWNoaW5lcyB0byBiYXJlIG1ldGFsIHNldHVwczxvOnA+PC9vOnA+CjwvbGk+PC91bD4K
PHAgY2xhc3M9TXNvTm9ybWFsPjxvOnA+Jm5ic3A7PC9vOnA+Cgo8L3A+PHAgY2xhc3M9TXNvTm9y
bWFsPk5vIHN1cnByaXNlcyB3aXRoIGFueSBvZiB0aGVzZS4gTWFjaGluZXMgd2VyZSBsZWZ0IHJ1
bm5pbmcgd2l0aCB0aGUgdmFyaW91cyB0ZXN0IHNldHVwcyBmb3IgdXAgdG8gYSB3ZWVrIHdpdGgg
bm8gaXNzdWVzLiBBbGwgc2hvd2VkIHNpZ25pZmljYW50IHBlcmZvcm1hbmNlIGJvb3N0cyB3aXRo
IHRoZSBuZXcga2VybmVsLjxvOnA+PC9vOnA+Cgo8L3A+PHAgY2xhc3M9TXNvTm9ybWFsPjxvOnA+
Jm5ic3A7PC9vOnA+Cgo8L3A+PHAgY2xhc3M9TXNvTm9ybWFsPk9uZSB0aGluZyB3ZSBoYXZlIG5v
dGljZWQgJiM4MjExOyB0byBnZXQgdGhlIG1heGltdW0gYmVuZWZpdCBkb2VzIHJlcXVpcmUgYSBi
YXJlIG1ldGFsIGluc3RhbGwgYW5kIGEgcmVzdG9yZSBmcm9tIGJhY2t1cC48bzpwPjwvbzpwPgoK
PC9wPjxwIGNsYXNzPU1zb05vcm1hbCBzdHlsZT0nbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNv
LW1hcmdpbi1ib3R0b20tYWx0OmF1dG8nPjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTIuMHB0Jz5C
ZXN0IHJlZ2FyZHMsPC9zcGFuPiA8bzpwPjwvbzpwPgoKPC9wPjxwIGNsYXNzPU1zb05vcm1hbCBz
dHlsZT0nbXNvLW1hcmdpbi10b3AtYWx0OmF1dG87bXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG8n
PjxzcGFuIHN0eWxlPSdmb250LXNpemU6MTIuMHB0Jz5GcmVkPC9zcGFuPiBLaWVua2VyPG86cD48
L286cD4KCjwvcD48cCBjbGFzcz1Nc29Ob3JtYWw+PG86cD4mbmJzcDs8L286cD4KCjwvcD48L2Rp
dj48L2JvZHk+PC9odG1sPg==

--===============4495074043166286144==--


From michael.tremer@ipfire.org Mon Jul 23 23:15:33 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Core 122
Date: Mon, 23 Jul 2018 23:15:32 +0100
Message-ID: <463d69aefdae325b8f0eb41c9a97b95027965c37.camel@ipfire.org>
In-Reply-To: <H000006e00422959.1532367572.mail.at4b.net@MHS>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5047538505892307196=="

--===============5047538505892307196==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello Fred,

thank you for getting in touch.

On Mon, 2018-07-23 at 13:39 -0400, Kienker, Fred wrote:
> Core 122 has been in the testing phase for almost a month now. Is there
> anything outsiders can do to help accelerate the release?

Yes, provide us feedback just like you are doing now.

Even if there are no (new) bugs, we would like to know. So far, it has been
really quiet, but I guess that has a lot to do with the hot weather, a world =
cup
and now people being on holiday.

So, we have not been feeling very confident to roll out the update, but we ma=
de
the decision that it will be coming next week.

> Things we have tried on Core 122 with success:
> Updating copies of existing systems including those with VPN=E2=80=99s
> Installing from scratch on bare metal machines
> Transferring settings backups from existing machines to bare metal setups
> =20
> No surprises with any of these. Machines were left running with the various
> test setups for up to a week with no issues. All showed significant
> performance boosts with the new kernel.

Cool. Did you benchmark that? How has performance improved and on what hardwa=
re
are you running IPFire?
=20
> One thing we have noticed =E2=80=93 to get the maximum benefit does require=
 a bare
> metal install and a restore from backup.

> Best regards,
> Fred Kienker
> =20

Best,
-Michael

--===============5047538505892307196==--


From michael.tremer@ipfire.org Thu Jul 26 10:50:14 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: ARM 64?
Date: Thu, 26 Jul 2018 10:50:03 +0100
Message-ID: <dc4aa7eb2b10d89ecd1952f309fe3a8a38016925.camel@ipfire.org>
In-Reply-To: <7a1c1b4c-d9a2-8803-de6d-5f505cfb6869@link38.eu>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0402547006953970520=="

--===============0402547006953970520==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello guys,

so here is a quick status update on aarch64 & EFI:

* EFI: We have a separate branch with a bootloader that runs in EFI
mode for x86_64 and aarch64. We won't support 32 bit x86 and EFI.

It seems to be running quite okay on most hardware, although we haven't
really tested enough yet to say if is ready for production. All in all
we might merge it for Core 124, but since there was no feedback
whatsoever it is hard to make that decision, yet.

* aarch64: We got a booting kernel and userland. It runs on the RPi 3
with a little bit of manual configuration of the bootloader. Generally
I do not want to support any SBCs, but Arne used this one for testing
at least.

Since we don't have any other hardware and especially nothing that
supports EFI, we haven't brought the two things together, but are
looking forward to do this soon.

I have launched a virtual machine with both, aarch64 and EFI on the APM
Mustang that I have available and it is running well. It is fast, it is
stable and we don't expect a big backlog of bugs that we need to solve
before this is ready to be shipped.

So, that is the July update from my side. Please feel free to ask any
questions if there are any.

Best,
- -Michael

On Mon, 2018-06-18 at 18:11 +0200, Peter M=C3=BCller wrote:
> Hello,
>=20
> this looks quite good - I am strongly interested. :-)
>=20
> Best regards,
> Peter M=C3=BCller
>=20
> > On Mon, 2018-06-18 at 09:40 +1000, Mathew McBride wrote:
> > > Hi Peter,
> > > There are two crypto options on our board:
> > > - ARMv8 Cryptography instructions (similar to AES-NI on x86)
> > > - Freescale SEC/CAAM engine (a 'hardware accelerator' that can do many
> > > TLS,IPSec etc. operations)
> > > I am certain that an RNG is part of the SEC engine, but I need to check=
 the
> > > driver status on Linux.
> > >=20
> > > /proc/crypto output for those interested:
> > > https://gist.github.com/mcbridematt/11f14c78ed4e35e97adf2f027010e374
> >=20
> > Wow, that is a very extensive list of supported ciphers and hashes as wel=
l as
> > the combination of HMAC + cipher mode.
> >=20
> > IPsec in the kernel will basically be not consuming any CPU cycles for cr=
ypto.
> >=20
> > Best,
> > -Michael
> >=20
> > >=20
> > > Regards,
> > > Mathew=20
> > >=20
> > > =EF=BB=BFOn 15/6/18, 3:09 am, "Peter M=C3=BCller" <peter.mueller(a)link=
38.eu> wrote:
> > >=20
> > >     Hello,
> > >    =20
> > >     this board sounds very interesting indeed (trustworthy hardware - y=
ay!).
> > >     However, after reading the datasheet it did not became clear to me =
if it
> > >     has some built-in random number generator and/or cryptography
> > > acceleration.
> > >    =20
> > >     Apart from some low-level backdoors (baked into USB, ... firmware c=
hips)
> > >     it seems like this is suitable for security relevant devices. Looki=
ng
> > >     forward to hear some experiences with IPFire on it. :-)
> > >    =20
> > >     Best regards,
> > >     Peter M=C3=BCller
> > >    =20
> > >     > Hey Matt,
> > >     >=20
> > >     > On Mon, 2018-05-28 at 20:32 +1000, Mathew McBride wrote:
> > >     >> Hi Michael,
> > >     >>
> > >     >> Just in response to your questions:
> > >     >> =EF=BB=BFOn 25/5/18, 11:10 pm, "Michael Tremer" <michael.tremer(=
a)ipfire.org>
> > > wrote:
> > >     >>    =20
> > >     >>    =20
> > >     >>     I think you hardware is good enough for a builder. But I sti=
ll am
> > > not sure
> > >     >> what
> > >     >>     to expect from the CPU. It will be faster than a Raspberry P=
i, but
> > > not a
> > >     >>     Mustang.
> > >     >>    =20
> > >     >> We did some benchmarks with the Phoronix test suite a while ago,=
 this
> > > will
> > >     >> give you an idea:
> > >     >> http://openbenchmarking.org/result/1708303-TR-
> > >     >> 1703199RI93&obr_hgv=3DTraverse+LS1043+Prototype
> > >     >=20
> > >     > I had a look at that. And yes indeed, it is a bit hard to figure =
out the
> > >     > performance by the CPU name alone for most ARM SoCs. There is no
> > > branding in
> > >     > order of performance (or similar) like Intel has.
> > >     >=20
> > >     > That might actually turn out to be a bigger marketing problem, bu=
t we
> > > will see
> > >     > that in the future.
> > >     >=20
> > >     >> To give an idea of the Cortex (ARM designed)-based core performa=
nce:
> > >     >>
> > >     >> The LS1043 has the same A53 cores as the RPi3, but performs bett=
er due
> > > to
> > >     >> having more cache, DDR4 etc (and higher clock).
> > >     >=20
> > >     > Performance is also coming from the rest of the periphery. The RP=
i has a
> > > slow
> > >     > and not very stable USB bus to talk to the network to and SD card
> > > storage. Even
> > >     > with a faster CPU it might very often just wait for data.
> > >     >=20
> > >     > We have been trying to tell people that they should look out for =
some
> > > specific
> > >     > features like cache and good single-core performance.
> > >     >=20
> > >     >> A72 is about double A53 in performance (and power consumption!) =
per
> > > MHz, as
> > >     >> A72 is a modern out-of-order speculative core (it did get hit wi=
th the
> > >     >> Meltdown/Spectre issue).
> > >     >=20
> > >     > Yes, wouldn't mind to have some systems based on that one since t=
he A53
> > > will be
> > >     > too slow for really large enterprise deployments.
> > >     >=20
> > >     >> The latest gen of ARM64 server cores would all be well above A72=
, your
> > > Mustang
> > >     >> is probably around the A72 level.
> > >     >>
> > >     >> In general, ARM network SoCs try to work 'smarter' instead of 'h=
arder',
> > > so the
> > >     >> high network performance comes from having very good network sil=
icon,
> > > taking
> > >     >> advantage of crypto accelerators etc.
> > >     >=20
> > >     > I prefer the NICs in the SoC which gives great performance. The
> > > disadvantage
> > >     > only is that they sometimes to odd configurations like 5x 1G and =
1x 10G
> > > in this
> > >     > case which I don't really understand. The only use-case that make=
s sense
> > > to me
> > >     > is a server but for that the CPU is too slow and people would pro=
bably
> > > go for a
> > >     > A72-class CPU.
> > >     >=20
> > >     >>     > There is a TrustZone firmware running in the ring/EL above=
 the
> > > OS, for
> > >     >> the NXP
> > >     >>     > Layerscape/QorIQ SoC's this firmware is open source, and n=
ot
> > > strictly
> > >     >> required
> > >     >>     > to run the system (it gets loaded by u-boot after power on=
).
> > >     >>    =20
> > >     >>     What does the firmware do?
> > >     >> It implements some vendor-specific power-management extensions (=
PSCI),
> > > as well
> > >     >> as some TPM-like functions.
> > >     >> NXP provides a good overview: https://github.com/qoriq-open-sour=
ce/ppa-
> > > generic
> > >     >> /blob/integration/ReleaseNotes.txt
> > >     >> I am not a security expert, but it could be a good test environm=
ent for
> > > secure
> > >     >> boot, private key storage and other things.
> > >     >=20
> > >     > Great that this is entirely open.
> > >     >=20
> > >     > -Michael
> > >     >=20
> > >     >>
> > >     >>    =20
> > >     >> Cheers,
> > >     >> Matt
> > >     >> =20
> > >     >>
> > >     >>
> > >    =20
> > >     --=20
> > >     "We don't care.  We don't have to.  We're the Phone Company."
> > >    =20
> > >    =20
> > >=20
> > >=20
>=20
>=20
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE5/rW5l3GGe2ypktxgHnw/2+QCQcFAltZmUsACgkQgHnw/2+Q
CQcNfw//VkhXWguNNy/rsjeNLxNlzkJaeb9VXVar6vaTwvq6CcjgNtoRHJcsYU5t
Pk550WufwCeWk1b8VjmGrO1AAfMow/aXVfYJ+wlR0vpi/pwiX596wt1PLcGYMlCB
Ye8Zz4N1FjR1wh8Mqv1aH9AAYhzAKp80GM3bAxU4IRaENutMpdLnOpL9/tiMeoNs
hK9P9skFobvMVQxi+BoF8aWVJrpuVlNP56a/JE/8CVB85El7YnqxLixoDuL1GHjN
6E4CSqtLM8OY9morx32yxd9XvvanxiivAlCnzu8vII8OMuf050fGDV/WHTMlXNEc
S/C5Uua3tcGRInsf2LwPuZ3nMHL4nVIvLUMioMVeCEjoLftQOGgOUK/gV7AOYoy8
WicItyGRduY3IxB79LkRRKy7nZyRTeUm9zxEqsNmT6MquQDhrNa9hQB5LB2N3ZQv
L7CHgeXxtHt5F7n7PQJaICCf0Zl0BM4yP8NK5bpK8YVYP30s8dQxWBbhEuYDO241
ryYIaZ6Xv3cOEH7Md97+2aMsuyXepI/ZW/wpFI//MlkOXoWHNKLDyigmy5rPbQNW
gHIyp7xGOTYOoZPh/jii9dYDwQWNvNMESzC+AsYkBWLmyTYtsexIYts3FIXxunp8
9sqknx/jvhYNsR+9F8htZ9lAhI9fgqqGe9wBPp+blDRE/VNa+Jc=3D
=3DkhkX
-----END PGP SIGNATURE-----


--===============0402547006953970520==--


From matthias.fischer@ipfire.org Mon Jul 30 19:31:42 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Core 121: Checking diskspace on root fails
Date: Mon, 30 Jul 2018 20:31:48 +0200
Message-ID: <f0d5c41e-e875-f91b-080b-7dc28ddb5172@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5486540886925540792=="

--===============5486540886925540792==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hi,

could someone please have a look at this:

https://forum.ipfire.org/viewtopic.php?f=22&t=21088

For reasons I can't understand the diskspace check for core 121 fails
for several users.

I checked by myself and can't find the reason...

Best,
Matthias

--===============5486540886925540792==--


From matthias.fischer@ipfire.org Mon Jul 30 19:55:43 2018
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Core 121: Checking diskspace on root fails
Date: Mon, 30 Jul 2018 20:55:49 +0200
Message-ID: <df011cb2-2ef2-f12a-5c21-9d087b33c15f@ipfire.org>
In-Reply-To: <f0d5c41e-e875-f91b-080b-7dc28ddb5172@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8088201567887441752=="

--===============8088201567887441752==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

On 30.07.2018 20:31, Matthias Fischer wrote:
> Hi,
> 
> could someone please have a look at this:
> 
> https://forum.ipfire.org/viewtopic.php?f=22&t=21088
> 
> For reasons I can't understand the diskspace check for core 121 fails
> for several users.
> 
> I checked by myself and can't find the reason...

Found. Checking 'bootspace' fails ("Returncode 3")- I got the wrong
commit...

Best,
Matthias

--===============8088201567887441752==--


From michael.tremer@ipfire.org Mon Jul 30 21:54:31 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Core 121: Checking diskspace on root fails
Date: Mon, 30 Jul 2018 21:54:30 +0100
Message-ID: <4c386ee978405ad89f645109829ff406a3a7c4f7.camel@ipfire.org>
In-Reply-To: <df011cb2-2ef2-f12a-5c21-9d087b33c15f@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3242134263376268224=="

--===============3242134263376268224==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Hello,

Arne has already reacted to the forum thread, but nevertheless I wanted
to give to protocol that some installations have very little disk space
and the update is quite large.

So if there is not enough disk space, the updater will fail with that
error code.

Best,
-Michael

On Mon, 2018-07-30 at 20:55 +0200, Matthias Fischer wrote:
> On 30.07.2018 20:31, Matthias Fischer wrote:
> > Hi,
> > 
> > could someone please have a look at this:
> > 
> > https://forum.ipfire.org/viewtopic.php?f=22&t=21088
> > 
> > For reasons I can't understand the diskspace check for core 121 fails
> > for several users.
> > 
> > I checked by myself and can't find the reason...
> 
> Found. Checking 'bootspace' fails ("Returncode 3")- I got the wrong
> commit...
> 
> Best,
> Matthias


--===============3242134263376268224==--


From michael.tremer@ipfire.org Tue Jul 31 15:46:09 2018
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Core 121: Checking diskspace on root fails
Date: Tue, 31 Jul 2018 15:46:07 +0100
Message-ID: <e3ecabef9adb181329d22487c1802ba217af4508.camel@ipfire.org>
In-Reply-To: <BEFDD276-8B39-4F96-8BC8-5D43B1711B76@rymes.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0522947813975275433=="

--===============0522947813975275433==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Mon, 2018-07-30 at 20:50 -0400, Tom Rymes wrote:
> Also, I have found that log files can be a major contributor to disk space =
issues.

Yes indeed. Also SARG can use a lot of disk space and the RRD files for
the graphs when many OpenVPN connections exist.

Best,
-Michael

> > On Jul 30, 2018, at 4:54 PM, Michael Tremer <michael.tremer(a)ipfire.org>=
 wrote:
> >=20
> > Hello,
> >=20
> > Arne has already reacted to the forum thread, but nevertheless I wanted
> > to give to protocol that some installations have very little disk space
> > and the update is quite large.
> >=20
> > So if there is not enough disk space, the updater will fail with that
> > error code.
> >=20
> > Best,
> > -Michael
> >=20
> > > On Mon, 2018-07-30 at 20:55 +0200, Matthias Fischer wrote:
> > > > On 30.07.2018 20:31, Matthias Fischer wrote:
> > > > Hi,
> > > >=20
> > > > could someone please have a look at this:
> > > >=20
> > > > https://forum.ipfire.org/viewtopic.php?f=3D22&t=3D21088
> > > >=20
> > > > For reasons I can't understand the diskspace check for core 121 fails
> > > > for several users.
> > > >=20
> > > > I checked by myself and can't find the reason...
> > >=20
> > > Found. Checking 'bootspace' fails ("Returncode 3")- I got the wrong
> > > commit...
> > >=20
> > > Best,
> > > Matthias


--===============0522947813975275433==--