Core Update 164 (testing) report

["Peter Müller" <peter.mueller@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1690 bytes --]

Hello development folks,

Core Update 164 (testing; see: https://blog.ipfire.org/post/ipfire-2-27-core-update-164-is-available-for-testing)
is running here for about three days by now without any major issues known so far.

While the updated kernel should fix XHCI issues affecting a relatively small fraction
of our userbase pretty badly (see #12750), I was unable to confirm it does, as I do
not have physical access to the only board affected in my environment. Also, I am not
aware of any community feedback on this, too. Let's hope we'll hear about this soon...

Although not mentioned in the testing announcement due to ${reasons}, this update
contains the "multiple IPS ruleset providers" by Stefan, also working fine. Thanks for
that, too!

While the DROP_HOSTILE stuff works well and I have not yet read any complaint about it,
there is a decent amount of apparently legitimate packets being logged (and subsequently)
dropped as conntrack INVALIDs. Other users notice this as well.

I do not really see this as an issue: We now _know_ conntrack is dropping substantially
more packets than we expected it to do, and can investigate on why it does this. Yay.

Tested IPFire functionalities in detail:
- PPPoE dial-up via a DSL connection
- IPsec (N2N connections only)
- Squid (authentication enabled, using an upstream proxy)
- OpenVPN (RW connections only)
- IPS/Suricata (with Emerging Threats community ruleset enabled)
- Guardian
- Quality of Service
- DNS (using DNS over TLS and strict QNAME minimisation)
- Dynamic DNS
- Tor (relay mode)

I am looking forward to the release of Core Update 164.

Thanks, and best regards,
Peter Müller