From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: Re: [PATCH] ppp: Fixes bug#13164 - Update to version 2.5.0 Date: Mon, 03 Jul 2023 17:37:13 +0200 Message-ID: <437a4879-9630-7072-32fa-5438f143bd39@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6794601345844445168==" List-Id: --===============6794601345844445168== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, On 03/07/2023 16:11, Michael Tremer wrote: > Hello Adolf, >=20 > This might be a tricky version update... I will work on it till everyone is happy to move forward with it. >=20 >> On 2 Jul 2023, at 10:54, Adolf Belka wrote: >> >> - Update from version 2.4.9 to 2.5.0 >> This includes breaking changes for third-party plugins but as far as I = can see IPFire >> is not using any third party plugins >=20 > No, we should no longer build the Roaring Penguin PPPoE plugin from their s= ource, but use the included one. In the ppp-2.4.9 there was an pppoe.so and rp-pppoe.so library. In the=20 ppp-2.5.0 there is only the pppoe.so library so it looks like the=20 roaring penguin plugin is removed by default now. In the RED initscript there is a section which specifies the rp-pppoe.so=20 lib as the plugin to use 364 ## Plugin Options 365 # 366 if [ "$TYPE" =3D=3D "pppoe" ]; then 367 [ "${METHOD}" =3D=3D "PPPOE_PLUGIN" ] && \ 368 PLUGOPTS=3D"plugin rp-pppoe.so" 369 fi Does line 368 need to be changed to PLUGOPTS=3D"plugin pppoe.so" or what? rp-pppoe is not referenced anywhere else in IPFire that I have been able=20 to find. >=20 >> - Update of rootfile >> - Update of patches and sed commands >> - pcap-int.h and if_pppol2tp.h files have not been in source file since= at least 2014 >> - Some of the patches required updates as additional lines needing to b= e patched are >> now present. nThis was related to the O_CLOEXEC & SOCK_CLOEXEC relat= ed patches >=20 > Yes, these can go. We should be able to rely on upstream to build this for = modern OSes. So I should remove the two patch files that are related to CLOEXEC but=20 still keep the others - correct? >=20 >> - connect-errors file location is now defined by a configure command --= with-logfile-dir >> - install-etcppp is no longer provided. However the install command in thi= s version still >> has the same files available in /etc/ppp as previously. There is a new = file, >> openssl.cnf, which I have commented out. If it is required in future it= can always be >> uncommented in future releases. >> - Build went without any problems with the updated patches. >> - I cannot test this as I don't use ppp, however the original bug reporter= has agreed to >> test this out when it is released into Testing unless anyone else is ca= pable of testing >> it. >=20 > So, we didn=E2=80=99t have any issues with this in the past, but however, i= f we break this, then people won=E2=80=99t have an Internet connection any mo= re to download any fixes. So let=E2=80=99s please make sure that we give this= all extra attention and this won=E2=80=99t happen. > > Sadly, I don=E2=80=99t have a PPP connection either. >=20 > Reviewed-by: Michael Tremer >=20 >> - Changelog >> What's new in ppp-2.5.0. >> The 2.5.0 release is a major release of pppd which contains breaking >> changes for third-party plugins, a complete revamp of the build-system >> and that allows for flexibility of configuring features as needed. >> In Summary: >> * Support for PEAP authentication by Eivind N=C3=A6ss and Rustam Kovhaev >> * Support for loading PKCS12 certificate envelopes >> * Adoption of GNU Autoconf / Automake build environment, by Eivind N=C3=A6= ss >> and others. >> * Support for pkgconfig tool has been added by Eivind N=C3=A6ss. >> * Bunch of fixes and cleanup to PPPoE and IPv6 support by Pali Roh=C3=A1r. >> * Major revision to PPPD's Plugin API by Eivind N=C3=A6ss. >> - Defines in which describes what features was included in pppd >> - Functions now prefixed with explicit ppp_* to indicate that >> pppd functions being called. >> - Header files were renamed to better align with their features, >> and now use proper include guards >> - A pppdconf.h file is supplied to allow third-party modules to use >> the same feature defines pppd was compiled with. >> - No extern declarations of internal variable names of pppd, >> continued use of these extern variables are considered >> unstable. >> * Lots of internal fixes and cleanups for Radius and PPPoE by Jaco Kroon >> * Dropped IPX support, as Linux has dropped support in version 5.15 >> for this protocol. >> * Many more fixes and cleanups. >> * Pppd is no longer installed setuid-root. >=20 > CAP_NET_ADMIN should be sufficient. We will however still run pppd as root = only. Is CAP_NET_ADMIN used by default with pppd or do I need to change=20 something for this? >=20 >> * New pppd options: >> - ipv6cp-noremote, ipv6cp-nosend, ipv6cp-use-remotenumber, >> ipv6-up-script, ipv6-down-script >> - -v, show-options >> - usepeerwins, ipcp-no-address, ipcp-no-addresses, nosendip >> * On Linux, any baud rate can be set on a serial port provided the >> kernel serial driver supports that. >> Note that if you have built and installed previous versions of this >> package and you want to continue having configuration and TDB files in >> /etc/ppp, you will need to use the --sysconfdir option to ./configure. >> For a list of the changes made during the 2.4 series releases of this >> package, see the Changes-2.4 file. >> Compression methods. >> This package supports two packet compression methods: Deflate and >> BSD-Compress. Other compression methods which are in common use >> include Predictor, LZS, and MPPC. These methods are not supported for >> two reasons - they are patent-encumbered, and they cause some packets >> to expand slightly, which pppd doesn't currently allow for. >> BSD-Compress and Deflate (which uses the same algorithm as gzip) don't >> ever expand packets. >=20 > -Michael >=20 >> Fixes: bug#13164 >> Signed-off-by: Adolf Belka >> --- >> config/rootfiles/common/ppp | 58 +++--- >> lfs/ppp | 28 +-- >> ...se-SOCK_CLOEXEC-when-creating-socket.patch | 165 ------------------ >> ...ppp-2.4.6-increase-max-padi-attempts.patch | 13 -- >> src/patches/ppp/ppp-2.4.7-headers_4.9.patch | 12 -- >> ...-configure-to-handle-cflags-properly.patch | 15 -- >> ...don-t-want-to-accidentally-leak-fds.patch} | 115 +++++++----- >> ...2.5.0-2-everywhere-O_CLOEXEC-harder.patch} | 136 ++++++--------- >> ...se-SOCK_CLOEXEC-when-creating-socket.patch | 135 ++++++++++++++ >> ...p-2.5.0-4-increase-max-padi-attempts.patch | 12 ++ >> src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch | 12 ++ >> ...-configure-to-handle-cflags-properly.patch | 18 ++ >> 12 files changed, 344 insertions(+), 375 deletions(-) >> delete mode 100644 src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-c= reating-socket.patch >> delete mode 100644 src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.pa= tch >> delete mode 100644 src/patches/ppp/ppp-2.4.7-headers_4.9.patch >> delete mode 100644 src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cfl= ags-properly.patch >> rename src/patches/ppp/{0012-pppd-we-don-t-want-to-accidentally-leak-fds.p= atch =3D> ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch} (54%) >> rename src/patches/ppp/{0013-everywhere-O_CLOEXEC-harder.patch =3D> ppp-2.= 5.0-2-everywhere-O_CLOEXEC-harder.patch} (63%) >> create mode 100644 src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC= -when-creating-socket.patch >> create mode 100644 src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.= patch >> create mode 100644 src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch >> create mode 100644 src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-c= flags-properly.patch >> >> diff --git a/config/rootfiles/common/ppp b/config/rootfiles/common/ppp >> index d61fdf811..6098fa7c3 100644 >> --- a/config/rootfiles/common/ppp >> +++ b/config/rootfiles/common/ppp >> @@ -7,49 +7,57 @@ etc/ppp/dialer >> etc/ppp/ioptions >> etc/ppp/ip-down >> etc/ppp/ip-up >> +#etc/ppp/openssl.cnf >> etc/ppp/options >> etc/ppp/pap-secrets >> etc/ppp/standardloginscript >> #usr/include/pppd >> +#usr/include/pppd/cbcp.h >> #usr/include/pppd/ccp.h >> -#usr/include/pppd/chap-new.h >> +#usr/include/pppd/chap.h >> #usr/include/pppd/chap_ms.h >> -#usr/include/pppd/eap-tls.h >> +#usr/include/pppd/crypto.h >> +#usr/include/pppd/crypto_ms.h >> #usr/include/pppd/eap.h >> #usr/include/pppd/ecp.h >> #usr/include/pppd/eui64.h >> #usr/include/pppd/fsm.h >> #usr/include/pppd/ipcp.h >> #usr/include/pppd/ipv6cp.h >> -#usr/include/pppd/ipxcp.h >> #usr/include/pppd/lcp.h >> #usr/include/pppd/magic.h >> -#usr/include/pppd/md4.h >> -#usr/include/pppd/md5.h >> #usr/include/pppd/mppe.h >> -#usr/include/pppd/patchlevel.h >> -#usr/include/pppd/pathnames.h >> -#usr/include/pppd/pppcrypt.h >> +#usr/include/pppd/multilink.h >> +#usr/include/pppd/options.h >> #usr/include/pppd/pppd.h >> +#usr/include/pppd/pppdconf.h >> #usr/include/pppd/session.h >> -#usr/include/pppd/sha1.h >> -#usr/include/pppd/spinlock.h >> -#usr/include/pppd/tdb.h >> #usr/include/pppd/upap.h >> +#usr/lib/pkgconfig/pppd.pc >> usr/lib/pppd >> -usr/lib/pppd/2.4.9 >> -usr/lib/pppd/2.4.9/minconn.so >> -usr/lib/pppd/2.4.9/openl2tp.so >> -usr/lib/pppd/2.4.9/passprompt.so >> -usr/lib/pppd/2.4.9/passwordfd.so >> -usr/lib/pppd/2.4.9/pppoatm.so >> -usr/lib/pppd/2.4.9/pppoe.so >> -usr/lib/pppd/2.4.9/pppol2tp.so >> -usr/lib/pppd/2.4.9/radattr.so >> -usr/lib/pppd/2.4.9/radius.so >> -usr/lib/pppd/2.4.9/radrealms.so >> -usr/lib/pppd/2.4.9/rp-pppoe.so >> -usr/lib/pppd/2.4.9/winbind.so >> +usr/lib/pppd/2.5.0 >> +#usr/lib/pppd/2.5.0/minconn.la >> +usr/lib/pppd/2.5.0/minconn.so >> +#usr/lib/pppd/2.5.0/openl2tp.la >> +usr/lib/pppd/2.5.0/openl2tp.so >> +#usr/lib/pppd/2.5.0/passprompt.la >> +usr/lib/pppd/2.5.0/passprompt.so >> +#usr/lib/pppd/2.5.0/passwordfd.la >> +usr/lib/pppd/2.5.0/passwordfd.so >> +#usr/lib/pppd/2.5.0/pppoatm.la >> +usr/lib/pppd/2.5.0/pppoatm.so >> +#usr/lib/pppd/2.5.0/pppoe.la >> +usr/lib/pppd/2.5.0/pppoe.so >> +#usr/lib/pppd/2.5.0/pppol2tp.la >> +usr/lib/pppd/2.5.0/pppol2tp.so >> +#usr/lib/pppd/2.5.0/radattr.la >> +usr/lib/pppd/2.5.0/radattr.so >> +#usr/lib/pppd/2.5.0/radius.la >> +usr/lib/pppd/2.5.0/radius.so >> +#usr/lib/pppd/2.5.0/radrealms.la >> +usr/lib/pppd/2.5.0/radrealms.so >> +#usr/lib/pppd/2.5.0/winbind.la >> +usr/lib/pppd/2.5.0/winbind.so >> usr/sbin/chat >> usr/sbin/pppd >> usr/sbin/pppdump >> @@ -60,5 +68,7 @@ usr/sbin/pppstats >> #usr/share/man/man8/pppd-radius.8 >> #usr/share/man/man8/pppd.8 >> #usr/share/man/man8/pppdump.8 >> +#usr/share/man/man8/pppoe-discovery.8 >> #usr/share/man/man8/pppstats.8 >> var/log/connect-errors >> + >> diff --git a/lfs/ppp b/lfs/ppp >> index fb46d8aac..fc4528ece 100644 >> --- a/lfs/ppp >> +++ b/lfs/ppp >> @@ -1,7 +1,7 @@ >> ##########################################################################= ##### >> # = # >> # IPFire.org - A linux based firewall = # >> -# Copyright (C) 2007-2021 IPFire Team = # >> +# Copyright (C) 2007-2023 IPFire Team = # >> # = # >> # This program is free software: you can redistribute it and/or modify = # >> # it under the terms of the GNU General Public License as published by = # >> @@ -24,7 +24,7 @@ >> >> include Config >> >> -VER =3D 2.4.9 >> +VER =3D 2.5.0 >> >> THISAPP =3D ppp-$(VER) >> DL_FILE =3D $(THISAPP).tar.gz >> @@ -42,7 +42,7 @@ objects =3D $(DL_FILE) >> >> $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >> >> -$(DL_FILE)_BLAKE2 =3D 2cc885c32b7d33dc48766097f1f4c9cd0754924a8c0630ccaa5= 8b2989e6b43a197ca0d41f5f16956c395278a12023d490e085f5635e23b53c5603ba61cfc40d5 >> +$(DL_FILE)_BLAKE2 =3D 6a0e9efcbff3cb499705071cc7d0e3411cf4871fd53b2bfedbb= 1f2cf3ad80728eb436050cf33b78e36d473be64f15907a21da17f283337455f0af379bc18272d >> >> install : $(TARGET) >> >> @@ -72,18 +72,20 @@ $(subst %,%_BLAKE2,$(objects)) : >> $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> @$(PREBUILD) >> @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) >> - cd $(DIR_APP) && rm -f include/pcap-int.h include/linux/if_pppol2tp.h >> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0012-pppd-we-d= on-t-want-to-accidentally-leak-fds.patch >> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0013-everywher= e-O_CLOEXEC-harder.patch >> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywher= e-use-SOCK_CLOEXEC-when-creating-socket.patch >> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-incr= ease-max-padi-attempts.patch >> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-head= ers_4.9.patch >> - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.9-patc= h-configure-to-handle-cflags-properly.patch >> - cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-e= rrors+" pppd/pathnames.h >> - cd $(DIR_APP) && ./configure --prefix=3D/usr --cc=3D"gcc" --cflags=3D"$(= CFLAGS)" --disable-nls >> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-1-we= -don-t-want-to-accidentally-leak-fds.patch >> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-2-ev= erywhere-O_CLOEXEC-harder.patch >> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-3-ev= erywhere-use-SOCK_CLOEXEC-when-creating-socket.patch >> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-4-in= crease-max-padi-attempts.patch >> + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-5-he= aders_4.9.patch >> + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-6-pa= tch-configure-to-handle-cflags-properly.patch >> + cd $(DIR_APP) && ./configure \ >> + --prefix=3D/usr \ >> + --sysconfdir=3D/etc \ >> + --with-logfile-dir=3D/var/log \ >> + cc=3D"gcc" \ >> + cflags=3D"$(CFLAGS)" >> cd $(DIR_APP) && make $(MAKETUNING) >> cd $(DIR_APP) && make install >> - cd $(DIR_APP) && make install-etcppp >> touch /var/log/connect-errors >> -mkdir -p /etc/ppp >> for i in $(DIR_SRC)/src/ppp/* ; do \ >> diff --git a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creatin= g-socket.patch b/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creati= ng-socket.patch >> deleted file mode 100644 >> index fffda981d..000000000 >> --- a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socke= t.patch >> +++ /dev/null >> @@ -1,165 +0,0 @@ >> -From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001 >> -From: Michal Sekletar >> -Date: Mon, 7 Apr 2014 14:21:41 +0200 >> -Subject: [PATCH 14/25] everywhere: use SOCK_CLOEXEC when creating socket >> - >> ---- >> - pppd/plugins/pppoatm/pppoatm.c | 2 +- >> - pppd/plugins/pppol2tp/openl2tp.c | 2 +- >> - pppd/plugins/pppol2tp/pppol2tp.c | 2 +- >> - pppd/plugins/pppoe/if.c | 2 +- >> - pppd/plugins/pppoe/plugin.c | 6 +++--- >> - pppd/plugins/pppoe/pppoe-discovery.c | 2 +- >> - pppd/sys-linux.c | 10 +++++----- >> - pppd/tty.c | 2 +- >> - 8 files changed, 14 insertions(+), 14 deletions(-) >> - >> -diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoat= m.c >> -index d693350..c31bb34 100644 >> ---- a/pppd/plugins/pppoatm/pppoatm.c >> -+++ b/pppd/plugins/pppoatm/pppoatm.c >> -@@ -135,7 +135,7 @@ static int connect_pppoatm(void) >> - >> - if (!device_got_set) >> - no_device_given_pppoatm(); >> -- fd =3D socket(AF_ATMPVC, SOCK_DGRAM, 0); >> -+ fd =3D socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> - if (fd < 0) >> - fatal("failed to create socket: %m"); >> - memset(&qos, 0, sizeof qos); >> -diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/ope= nl2tp.c >> -index 9643b96..1099575 100644 >> ---- a/pppd/plugins/pppol2tp/openl2tp.c >> -+++ b/pppd/plugins/pppol2tp/openl2tp.c >> -@@ -83,7 +83,7 @@ static int openl2tp_client_create(void) >> - int result; >> - >> - if (openl2tp_fd < 0) { >> -- openl2tp_fd =3D socket(PF_UNIX, SOCK_DGRAM, 0); >> -+ openl2tp_fd =3D socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> - if (openl2tp_fd < 0) { >> - error("openl2tp connection create: %m"); >> - return -ENOTCONN; >> -diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/ppp= ol2tp.c >> -index a7e3400..e64a778 100644 >> ---- a/pppd/plugins/pppol2tp/pppol2tp.c >> -+++ b/pppd/plugins/pppol2tp/pppol2tp.c >> -@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu, >> - struct ifreq ifr; >> - int fd; >> - >> -- fd =3D socket(AF_INET, SOCK_DGRAM, 0); >> -+ fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> - if (fd >=3D 0) { >> - memset (&ifr, '\0', sizeof (ifr)); >> - strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); >> -diff --git a/pppd/plugins/pppoe/if.c b/pppd/plugins/pppoe/if.c >> -index 91e9a57..72aba41 100644 >> ---- a/pppd/plugins/pppoe/if.c >> -+++ b/pppd/plugins/pppoe/if.c >> -@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsi= gned char *hwaddr) >> - stype =3D SOCK_PACKET; >> - #endif >> - >> -- if ((fd =3D socket(domain, stype, htons(type))) < 0) { >> -+ if ((fd =3D socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { >> - /* Give a more helpful message for the common error case */ >> - if (errno =3D=3D EPERM) { >> - fatal("Cannot create raw socket -- pppoe must be run as root."); >> -diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c >> -index a8c2bb4..24bdf8f 100644 >> ---- a/pppd/plugins/pppoe/plugin.c >> -+++ b/pppd/plugins/pppoe/plugin.c >> -@@ -137,7 +137,7 @@ PPPOEConnectDevice(void) >> - /* server equipment). = */ >> - /* Opening this socket just before waitForPADS in the discovery() = */ >> - /* function would be more appropriate, but it would mess-up the code= */ >> -- conn->sessionSocket =3D socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE); >> -+ conn->sessionSocket =3D socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC,= PX_PROTO_OE); >> - if (conn->sessionSocket < 0) { >> - error("Failed to create PPPoE socket: %m"); >> - return -1; >> -@@ -148,7 +148,7 @@ PPPOEConnectDevice(void) >> - lcp_wantoptions[0].mru =3D conn->mru; >> - >> - /* Update maximum MRU */ >> -- s =3D socket(AF_INET, SOCK_DGRAM, 0); >> -+ s =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> - if (s < 0) { >> - error("Can't get MTU for %s: %m", conn->ifName); >> - goto errout; >> -@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) >> - } >> - >> - /* Open a socket */ >> -- if ((fd =3D socket(PF_PACKET, SOCK_RAW, 0)) < 0) { >> -+ if ((fd =3D socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) { >> - r =3D 0; >> - } >> - >> -diff --git a/pppd/plugins/pppoe/pppoe-discovery.c b/pppd/plugins/pppoe/pp= poe-discovery.c >> -index 3d3bf4e..c0d927d 100644 >> ---- a/pppd/plugins/pppoe/pppoe-discovery.c >> -+++ b/pppd/plugins/pppoe/pppoe-discovery.c >> -@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsi= gned char *hwaddr) >> - stype =3D SOCK_PACKET; >> - #endif >> - >> -- if ((fd =3D socket(domain, stype, htons(type))) < 0) { >> -+ if ((fd =3D socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { >> - /* Give a more helpful message for the common error case */ >> - if (errno =3D=3D EPERM) { >> - rp_fatal("Cannot create raw socket -- pppoe must be run as root."); >> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c >> -index 00a2cf5..0690019 100644 >> ---- a/pppd/sys-linux.c >> -+++ b/pppd/sys-linux.c >> -@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int= set_bits) >> - void sys_init(void) >> - { >> - /* Get an internet socket for doing socket ioctls. */ >> -- sock_fd =3D socket(AF_INET, SOCK_DGRAM, 0); >> -+ sock_fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> - if (sock_fd < 0) >> - fatal("Couldn't create IP socket: %m(%d)", errno); >> - >> - #ifdef INET6 >> -- sock6_fd =3D socket(AF_INET6, SOCK_DGRAM, 0); >> -+ sock6_fd =3D socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> - if (sock6_fd < 0) >> - sock6_fd =3D -errno; /* save errno for later */ >> - #endif >> -@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name) >> - struct ifreq ifreq; >> - int ret, sock_fd; >> - >> -- sock_fd =3D socket(AF_INET, SOCK_DGRAM, 0); >> -+ sock_fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> - if (sock_fd < 0) >> - return 0; >> - memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); >> -@@ -2067,7 +2067,7 @@ int ppp_available(void) >> - /* >> - * Open a socket for doing the ioctl operations. >> - */ >> -- s =3D socket(AF_INET, SOCK_DGRAM, 0); >> -+ s =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> - if (s < 0) >> - return 0; >> - >> -diff --git a/pppd/tty.c b/pppd/tty.c >> -index bc96695..8e76a5d 100644 >> ---- a/pppd/tty.c >> -+++ b/pppd/tty.c >> -@@ -896,7 +896,7 @@ open_socket(dest) >> - *sep =3D ':'; >> - >> - /* get a socket and connect it to the other end */ >> -- sock =3D socket(PF_INET, SOCK_STREAM, 0); >> -+ sock =3D socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); >> - if (sock < 0) { >> - error("Can't create socket: %m"); >> - return -1; >> --- >> -1.8.3.1 >> - >> diff --git a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch b/= src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch >> deleted file mode 100644 >> index 1b36e8369..000000000 >> --- a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch >> +++ /dev/null >> @@ -1,13 +0,0 @@ >> -diff --git a/pppd/plugins/pppoe/pppoe.h b/pppd/plugins/pppoe/pppoe.h >> -index 9ab2eee..86762bd 100644 >> ---- a/pppd/plugins/pppoe/pppoe.h >> -+++ b/pppd/plugins/pppoe/pppoe.h >> -@@ -148,7 +148,7 @@ extern UINT16_t Eth_PPPOE_Session; >> - #define STATE_TERMINATED 4 >> - >> - /* How many PADI/PADS attempts? */ >> --#define MAX_PADI_ATTEMPTS 3 >> -+#define MAX_PADI_ATTEMPTS 4 >> - >> - /* Initial timeout for PADO/PADS */ >> - #define PADI_TIMEOUT 5 >> diff --git a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch b/src/patches/ppp= /ppp-2.4.7-headers_4.9.patch >> deleted file mode 100644 >> index 686db9204..000000000 >> --- a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch >> +++ /dev/null >> @@ -1,12 +0,0 @@ >> -diff -Naur ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c ppp-2.4.7/pppd/plugi= ns/pppoe/plugin.c >> ---- ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c 2014-08-09 14:31:39.0000000= 00 +0200 >> -+++ ppp-2.4.7/pppd/plugins/pppoe/plugin.c 2017-02-09 08:45:12.567493723 += 0100 >> -@@ -49,6 +49,8 @@ >> - #include >> - #include >> - #include >> -+#define _LINUX_IN_H >> -+#define _LINUX_IN6_H >> - #include >> - >> - #ifndef _ROOT_PATH >> diff --git a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-pr= operly.patch b/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-pro= perly.patch >> deleted file mode 100644 >> index b36ace192..000000000 >> --- a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.= patch >> +++ /dev/null >> @@ -1,15 +0,0 @@ >> ---- ppp-2.4.9.orig/configure 2021-03-30 21:38:27.415735914 +0200 >> -+++ ppp-2.4.9/configure 2021-04-01 19:10:48.632314447 +0200 >> -@@ -121,9 +121,9 @@ >> - rm -f $2 >> - if [ -f $1 ]; then >> - echo " $2 <=3D $1" >> -- sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \ >> -- -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \ >> -- -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2 >> -+ sed -e "s#@DESTDIR@#$DESTDIR#g" -e "s#@SYSCONF@#$SYSCONF#g" \ >> -+ -e "s#@CROSS_COMPILE@#$CROSS_COMPILE#g" -e "s#@CC@#$CC#g" \ >> -+ -e "s#@CFLAGS@#$CFLAGS#g" $1 >$2 >> - fi >> - } >> - >> diff --git a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-= fds.patch b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fd= s.patch >> similarity index 54% >> rename from src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-f= ds.patch >> rename to src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-f= ds.patch >> index 90bb2d161..98ab03119 100644 >> --- a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.pat= ch >> +++ b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.p= atch >> @@ -1,20 +1,8 @@ >> -From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001 >> -From: Michal Sekletar >> -Date: Mon, 7 Apr 2014 12:23:36 +0200 >> -Subject: [PATCH 12/25] pppd: we don't want to accidentally leak fds >> - >> ---- >> - pppd/auth.c | 20 ++++++++++---------- >> - pppd/options.c | 2 +- >> - pppd/sys-linux.c | 4 ++-- >> - 3 files changed, 13 insertions(+), 13 deletions(-) >> - >> -diff --git a/pppd/auth.c b/pppd/auth.c >> -index 4271af6..9e957fa 100644 >> ---- a/pppd/auth.c >> -+++ b/pppd/auth.c >> -@@ -428,7 +428,7 @@ setupapfile(argv) >> - option_error("unable to reset uid before opening %s: %m", fname); >> +diff -Naur pppd.orig/auth.c pppd/auth.c >> +--- pppd.orig/auth.c 2023-03-25 05:38:30.000000000 +0100 >> ++++ pppd/auth.c 2023-06-30 12:38:13.748482796 +0200 >> +@@ -518,7 +518,7 @@ >> + free(fname); >> return 0; >> } >> - ufile =3D fopen(fname, "r"); >> @@ -22,8 +10,8 @@ index 4271af6..9e957fa 100644 >> if (seteuid(euid) =3D=3D -1) >> fatal("unable to regain privileges: %m"); >> if (ufile =3D=3D NULL) { >> -@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdl= en, msg) >> - filename =3D _PATH_UPAPFILE; >> +@@ -1535,7 +1535,7 @@ >> + filename =3D PPP_PATH_UPAPFILE; >> addrs =3D opts =3D NULL; >> ret =3D UPAP_AUTHNAK; >> - f =3D fopen(filename, "r"); >> @@ -31,52 +19,52 @@ index 4271af6..9e957fa 100644 >> if (f =3D=3D NULL) { >> error("Can't open PAP password file %s: %m", filename); >> >> -@@ -1512,7 +1512,7 @@ null_login(unit) >> +@@ -1635,7 +1635,7 @@ >> if (ret <=3D 0) { >> - filename =3D _PATH_UPAPFILE; >> + filename =3D PPP_PATH_UPAPFILE; >> addrs =3D NULL; >> - f =3D fopen(filename, "r"); >> + f =3D fopen(filename, "re"); >> if (f =3D=3D NULL) >> return 0; >> check_access(f, filename); >> -@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd) >> +@@ -1681,7 +1681,7 @@ >> } >> >> - filename =3D _PATH_UPAPFILE; >> + filename =3D PPP_PATH_UPAPFILE; >> - f =3D fopen(filename, "r"); >> + f =3D fopen(filename, "re"); >> if (f =3D=3D NULL) >> return 0; >> check_access(f, filename); >> -@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp) >> +@@ -1718,7 +1718,7 @@ >> } >> >> - filename =3D _PATH_UPAPFILE; >> + filename =3D PPP_PATH_UPAPFILE; >> - f =3D fopen(filename, "r"); >> + f =3D fopen(filename, "re"); >> if (f =3D=3D NULL) >> return 0; >> >> -@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp) >> +@@ -1760,7 +1760,7 @@ >> } >> >> - filename =3D _PATH_CHAPFILE; >> + filename =3D PPP_PATH_CHAPFILE; >> - f =3D fopen(filename, "r"); >> + f =3D fopen(filename, "re"); >> if (f =3D=3D NULL) >> return 0; >> >> -@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) >> +@@ -1798,7 +1798,7 @@ >> struct wordlist *addrs; >> >> - filename =3D _PATH_SRPFILE; >> + filename =3D PPP_PATH_SRPFILE; >> - f =3D fopen(filename, "r"); >> + f =3D fopen(filename, "re"); >> if (f =3D=3D NULL) >> return 0; >> >> -@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len= , am_server) >> +@@ -1849,7 +1849,7 @@ >> addrs =3D NULL; >> secbuf[0] =3D 0; >> >> @@ -85,8 +73,8 @@ index 4271af6..9e957fa 100644 >> if (f =3D=3D NULL) { >> error("Can't open chap secret file %s: %m", filename); >> return 0; >> -@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_ser= ver) >> - filename =3D _PATH_SRPFILE; >> +@@ -1902,7 +1902,7 @@ >> + filename =3D PPP_PATH_SRPFILE; >> addrs =3D NULL; >> >> - fp =3D fopen(filename, "r"); >> @@ -94,7 +82,7 @@ index 4271af6..9e957fa 100644 >> if (fp =3D=3D NULL) { >> error("Can't open srp secret file %s: %m", filename); >> return 0; >> -@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opt= s, filename, flags) >> +@@ -2291,7 +2291,7 @@ >> */ >> if (word[0] =3D=3D '@' && word[1] =3D=3D '/') { >> strlcpy(atfile, word+1, sizeof(atfile)); >> @@ -103,12 +91,38 @@ index 4271af6..9e957fa 100644 >> warn("can't open indirect secret file %s", atfile); >> continue; >> } >> -diff --git a/pppd/options.c b/pppd/options.c >> -index 45fa742..1d754ae 100644 >> ---- a/pppd/options.c >> -+++ b/pppd/options.c >> -@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, p= riv) >> - option_error("unable to drop privileges to open %s: %m", filename); >> +@@ -2461,7 +2461,7 @@ >> + char pkfile[MAXWORDLEN]; >> + >> + filename =3D PPP_PATH_EAPTLSSERVFILE; >> +- f =3D fopen(filename, "r"); >> ++ f =3D fopen(filename, "re"); >> + if (f =3D=3D NULL) >> + return 0; >> + >> +@@ -2518,7 +2518,7 @@ >> + return 1; >> + >> + filename =3D PPP_PATH_EAPTLSCLIFILE; >> +- f =3D fopen(filename, "r"); >> ++ f =3D fopen(filename, "re"); >> + if (f =3D=3D NULL) >> + return 0; >> + >> +@@ -2738,7 +2738,7 @@ >> + filename =3D (am_server ? PPP_PATH_EAPTLSSERVFILE : PPP_PATH_EAPTLSCLIFI= LE); >> + addrs =3D NULL; >> + >> +- fp =3D fopen(filename, "r"); >> ++ fp =3D fopen(filename, "re"); >> + if (fp =3D=3D NULL) >> + { >> + error("Can't open eap-tls secret file %s: %m", filename); >> +diff -Naur pppd.orig/options.c pppd/options.c >> +--- pppd.orig/options.c 2023-03-25 05:38:30.000000000 +0100 >> ++++ pppd/options.c 2023-06-30 12:42:19.262593140 +0200 >> +@@ -555,7 +555,7 @@ >> + ppp_option_error("unable to drop privileges to open %s: %m", filename); >> return 0; >> } >> - f =3D fopen(filename, "r"); >> @@ -116,11 +130,10 @@ index 45fa742..1d754ae 100644 >> err =3D errno; >> if (check_prot && seteuid(euid) =3D=3D -1) >> fatal("unable to regain privileges"); >> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c >> -index 72a7727..8a12fa0 100644 >> ---- a/pppd/sys-linux.c >> -+++ b/pppd/sys-linux.c >> -@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail) >> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c >> +--- pppd.orig/sys-linux.c 2023-03-10 02:50:41.000000000 +0100 >> ++++ pppd/sys-linux.c 2023-06-30 12:43:20.634453475 +0200 >> +@@ -1978,7 +1978,7 @@ >> /* Default the mount location of /proc */ >> strlcpy (proc_path, "/proc", sizeof(proc_path)); >> proc_path_len =3D 5; >> @@ -129,7 +142,7 @@ index 72a7727..8a12fa0 100644 >> if (fp !=3D NULL) { >> while ((mntent =3D getmntent(fp)) !=3D NULL) { >> if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) =3D=3D 0) >> -@@ -1472,7 +1472,7 @@ static int open_route_table (void) >> +@@ -2038,7 +2038,7 @@ >> close_route_table(); >> >> path =3D path_to_procfs("/net/route"); >> @@ -138,6 +151,12 @@ index 72a7727..8a12fa0 100644 >> if (route_fd =3D=3D NULL) { >> error("can't open routing table %s: %m", path); >> return 0; >> --- >> -1.8.3.1 >> - >> +@@ -2322,7 +2322,7 @@ >> + close_route_table(); >> + >> + path =3D path_to_procfs("/net/ipv6_route"); >> +- route_fd =3D fopen (path, "r"); >> ++ route_fd =3D fopen (path, "re"); >> + if (route_fd =3D=3D NULL) { >> + error("can't open routing table %s: %m", path); >> + return 0; >> diff --git a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch b/src/= patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch >> similarity index 63% >> rename from src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch >> rename to src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch >> index 0fb028779..c205c0e08 100644 >> --- a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch >> +++ b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch >> @@ -1,23 +1,7 @@ >> -From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001 >> -From: Michal Sekletar >> -Date: Mon, 7 Apr 2014 13:56:34 +0200 >> -Subject: [PATCH 13/25] everywhere: O_CLOEXEC harder >> - >> ---- >> - pppd/eap.c | 2 +- >> - pppd/main.c | 4 ++-- >> - pppd/options.c | 4 ++-- >> - pppd/sys-linux.c | 22 +++++++++++----------- >> - pppd/tdb.c | 4 ++-- >> - pppd/tty.c | 4 ++-- >> - pppd/utils.c | 6 +++--- >> - 7 files changed, 23 insertions(+), 23 deletions(-) >> - >> -diff --git a/pppd/eap.c b/pppd/eap.c >> -index 6ea6c1f..faced53 100644 >> ---- a/pppd/eap.c >> -+++ b/pppd/eap.c >> -@@ -1226,7 +1226,7 @@ mode_t modebits; >> +diff -Naur pppd.orig/eap.c pppd/eap.c >> +--- pppd.orig/eap.c 2023-03-25 05:38:30.000000000 +0100 >> ++++ pppd/eap.c 2023-06-30 12:58:07.984676045 +0200 >> +@@ -1542,7 +1542,7 @@ >> >> if ((path =3D name_of_pn_file()) =3D=3D NULL) >> return (-1); >> @@ -26,34 +10,23 @@ index 6ea6c1f..faced53 100644 >> err =3D errno; >> free(path); >> errno =3D err; >> -diff --git a/pppd/main.c b/pppd/main.c >> -index 87a5d29..152e4a2 100644 >> ---- a/pppd/main.c >> -+++ b/pppd/main.c >> -@@ -400,7 +400,7 @@ main(int argc, char *argv[]) >> +diff -Naur pppd.orig/main.c pppd/main.c >> +--- pppd.orig/main.c 2023-03-25 05:38:30.000000000 +0100 >> ++++ pppd/main.c 2023-06-30 13:00:15.155195676 +0200 >> +@@ -479,7 +479,7 @@ >> die(0); >> >> /* Make sure fds 0, 1, 2 are open to somewhere. */ >> -- fd_devnull =3D open(_PATH_DEVNULL, O_RDWR); >> -+ fd_devnull =3D open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC); >> +- fd_devnull =3D open(PPP_DEVNULL, O_RDWR); >> ++ fd_devnull =3D open(PPP_DEVNULL, O_RDWR | O_CLOEXEC); >> if (fd_devnull < 0) >> - fatal("Couldn't open %s: %m", _PATH_DEVNULL); >> + fatal("Couldn't open %s: %m", PPP_DEVNULL); >> while (fd_devnull <=3D 2) { >> -@@ -1642,7 +1642,7 @@ device_script(char *program, int in, int out, int d= ont_wait) >> - if (log_to_fd >=3D 0) >> - errfd =3D log_to_fd; >> - else >> -- errfd =3D open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644); >> -+ errfd =3D open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXE= C, 0644); >> - >> - ++conn_running; >> - pid =3D safe_fork(in, out, errfd); >> -diff --git a/pppd/options.c b/pppd/options.c >> -index 1d754ae..8e62635 100644 >> ---- a/pppd/options.c >> -+++ b/pppd/options.c >> -@@ -1544,9 +1544,9 @@ setlogfile(argv) >> - option_error("unable to drop permissions to open %s: %m", *argv); >> +diff -Naur pppd.orig/options.c pppd/options.c >> +--- pppd.orig/options.c 2023-06-30 12:42:19.262593140 +0200 >> ++++ pppd/options.c 2023-06-30 13:01:58.388323345 +0200 >> +@@ -1718,9 +1718,9 @@ >> + ppp_option_error("unable to drop permissions to open %s: %m", *argv); >> return 0; >> } >> - fd =3D open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644); >> @@ -64,11 +37,10 @@ index 1d754ae..8e62635 100644 >> err =3D errno; >> if (!privileged_option && seteuid(euid) =3D=3D -1) >> fatal("unable to regain privileges: %m"); >> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c >> -index 8a12fa0..00a2cf5 100644 >> ---- a/pppd/sys-linux.c >> -+++ b/pppd/sys-linux.c >> -@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd) >> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c >> +--- pppd.orig/sys-linux.c 2023-06-30 12:43:20.634453475 +0200 >> ++++ pppd/sys-linux.c 2023-06-30 13:11:25.715511251 +0200 >> +@@ -666,7 +666,7 @@ >> goto err; >> } >> dbglog("using channel %d", chindex); >> @@ -77,7 +49,7 @@ index 8a12fa0..00a2cf5 100644 >> if (fd < 0) { >> error("Couldn't reopen /dev/ppp: %m"); >> goto err; >> -@@ -619,7 +619,7 @@ static int make_ppp_unit() >> +@@ -904,7 +904,7 @@ >> dbglog("in make_ppp_unit, already had /dev/ppp open?"); >> close(ppp_dev_fd); >> } >> @@ -86,7 +58,7 @@ index 8a12fa0..00a2cf5 100644 >> if (ppp_dev_fd < 0) >> fatal("Couldn't open /dev/ppp: %m"); >> flags =3D fcntl(ppp_dev_fd, F_GETFL); >> -@@ -693,7 +693,7 @@ int bundle_attach(int ifnum) >> +@@ -1025,7 +1025,7 @@ >> if (!new_style_driver) >> return -1; >> >> @@ -95,7 +67,7 @@ index 8a12fa0..00a2cf5 100644 >> if (master_fd < 0) >> fatal("Couldn't open /dev/ppp: %m"); >> if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) { >> -@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr) >> +@@ -2533,7 +2533,7 @@ >> if (tune_kernel) { >> forw_path =3D path_to_procfs("/sys/net/ipv4/ip_forward"); >> if (forw_path !=3D 0) { >> @@ -104,7 +76,7 @@ index 8a12fa0..00a2cf5 100644 >> if (fd >=3D 0) { >> if (write(fd, "1", 1) !=3D 1) >> error("Couldn't enable IP forwarding: %m"); >> -@@ -2030,7 +2030,7 @@ int ppp_available(void) >> +@@ -2878,7 +2878,7 @@ >> sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch); >> kernel_version =3D KVERSION(osmaj, osmin, ospatch); >> >> @@ -113,7 +85,7 @@ index 8a12fa0..00a2cf5 100644 >> if (fd >=3D 0) { >> new_style_driver =3D 1; >> >> -@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, c= onst char *host) >> +@@ -3056,7 +3056,7 @@ >> #if __GLIBC__ >=3D 2 >> updwtmp(_PATH_WTMP, &ut); >> #else >> @@ -122,7 +94,7 @@ index 8a12fa0..00a2cf5 100644 >> if (wtmp >=3D 0) { >> flock(wtmp, LOCK_EX); >> >> -@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t= his_adr, >> +@@ -3280,7 +3280,7 @@ >> int fd; >> >> path =3D path_to_procfs("/sys/net/ipv4/ip_dynaddr"); >> @@ -131,7 +103,7 @@ index 8a12fa0..00a2cf5 100644 >> if (write(fd, "1", 1) !=3D 1) >> error("Couldn't enable dynamic IP addressing: %m"); >> close(fd); >> -@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) >> +@@ -3534,7 +3534,7 @@ >> /* >> * Try the unix98 way first. >> */ >> @@ -140,17 +112,17 @@ index 8a12fa0..00a2cf5 100644 >> if (mfd >=3D 0) { >> int ptn; >> if (ioctl(mfd, TIOCGPTN, &ptn) >=3D 0) { >> -@@ -2851,7 +2851,8 @@ >> +@@ -3545,7 +3545,8 @@ >> if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0) >> warn("Couldn't unlock pty slave %s: %m", pty_name); >> #endif >> - if ((sfd =3D open(pty_name, O_RDWR | O_NOCTTY)) < 0) >> + >> -+ if ((sfd =3D open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) = < 0) >> - { >> ++ if ((sfd =3D open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) >> + { >> warn("Couldn't open pty slave %s: %m", pty_name); >> - close(mfd); >> -@@ -2865,10 +2866,10 @@ >> + close(mfd); >> +@@ -3559,10 +3560,10 @@ >> for (i =3D 0; i < 64; ++i) { >> slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x", >> 'p' + i / 16, i % 16); >> @@ -161,13 +133,12 @@ index 8a12fa0..00a2cf5 100644 >> - sfd =3D open(pty_name, O_RDWR | O_NOCTTY, 0); >> + sfd =3D open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0); >> if (sfd >=3D 0) { >> - fchown(sfd, uid, -1); >> - fchmod(sfd, S_IRUSR | S_IWUSR); >> -diff --git a/pppd/tdb.c b/pppd/tdb.c >> -index bdc5828..c7ab71c 100644 >> ---- a/pppd/tdb.c >> -+++ b/pppd/tdb.c >> -@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash= _size, int tdb_flags, >> + ret =3D fchown(sfd, uid, -1); >> + if (ret !=3D 0) { >> +diff -Naur pppd.orig/tdb.c pppd/tdb.c >> +--- pppd.orig/tdb.c 2021-07-23 06:41:07.000000000 +0200 >> ++++ pppd/tdb.c 2023-06-30 13:12:55.034900600 +0200 >> +@@ -1728,7 +1728,7 @@ >> goto internal; >> } >> >> @@ -176,7 +147,7 @@ index bdc5828..c7ab71c 100644 >> TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n", >> name, strerror(errno))); >> goto fail; /* errno set by open(2) */ >> -@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb) >> +@@ -1971,7 +1971,7 @@ >> } >> if (close(tdb->fd) !=3D 0) >> TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n")); >> @@ -185,12 +156,11 @@ index bdc5828..c7ab71c 100644 >> if (tdb->fd =3D=3D -1) { >> TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno))); >> goto fail; >> -diff --git a/pppd/tty.c b/pppd/tty.c >> -index d571b11..bc96695 100644 >> ---- a/pppd/tty.c >> -+++ b/pppd/tty.c >> -@@ -569,7 +569,7 @@ int connect_tty() >> - status =3D EXIT_OPEN_FAILED; >> +diff -Naur pppd.orig/tty.c pppd/tty.c >> +--- pppd.orig/tty.c 2023-03-25 05:38:30.000000000 +0100 >> ++++ pppd/tty.c 2023-06-30 13:14:06.450418113 +0200 >> +@@ -621,7 +621,7 @@ >> + ppp_set_status(EXIT_OPEN_FAILED); >> goto errret; >> } >> - real_ttyfd =3D open(devnam, O_NONBLOCK | O_RDWR, 0); >> @@ -198,7 +168,7 @@ index d571b11..bc96695 100644 >> err =3D errno; >> if (prio < OPRIO_ROOT && seteuid(0) =3D=3D -1) >> fatal("Unable to regain privileges"); >> -@@ -723,7 +723,7 @@ int connect_tty() >> +@@ -775,7 +775,7 @@ >> if (connector =3D=3D NULL && modem && devnam[0] !=3D 0) { >> int i; >> for (;;) { >> @@ -207,12 +177,11 @@ index d571b11..bc96695 100644 >> break; >> if (errno !=3D EINTR) { >> error("Failed to reopen %s: %m", devnam); >> -diff --git a/pppd/utils.c b/pppd/utils.c >> -index 29bf970..6051b9a 100644 >> ---- a/pppd/utils.c >> -+++ b/pppd/utils.c >> -@@ -918,14 +918,14 @@ lock(dev) >> - slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev); >> +diff -Naur pppd.orig/utils.c pppd/utils.c >> +--- pppd.orig/utils.c 2022-12-30 02:12:39.000000000 +0100 >> ++++ pppd/utils.c 2023-06-30 13:15:47.860182369 +0200 >> +@@ -843,14 +843,14 @@ >> + slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", PPP_PATH_LOCKDI= R, dev); >> #endif >> >> - while ((fd =3D open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0)= { >> @@ -228,7 +197,7 @@ index 29bf970..6051b9a 100644 >> if (fd < 0) { >> if (errno =3D=3D ENOENT) /* This is just a timing problem. */ >> continue; >> -@@ -1004,7 +1004,7 @@ relock(pid) >> +@@ -933,7 +933,7 @@ >> >> if (lock_file[0] =3D=3D 0) >> return -1; >> @@ -237,6 +206,3 @@ index 29bf970..6051b9a 100644 >> if (fd < 0) { >> error("Couldn't reopen lock file %s: %m", lock_file); >> lock_file[0] =3D 0; >> --- >> -1.8.3.1 >> - >> diff --git a/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-= creating-socket.patch b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEX= EC-when-creating-socket.patch >> new file mode 100644 >> index 000000000..cfd72e468 >> --- /dev/null >> +++ b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creatin= g-socket.patch >> @@ -0,0 +1,135 @@ >> +diff -Naur pppd.orig/plugins/pppoatm/pppoatm.c pppd/plugins/pppoatm/pppoa= tm.c >> +--- pppd.orig/plugins/pppoatm/pppoatm.c 2023-03-25 05:38:30.000000000 +01= 00 >> ++++ pppd/plugins/pppoatm/pppoatm.c 2023-06-30 13:21:33.397378347 +0200 >> +@@ -146,7 +146,7 @@ >> + >> + if (!device_got_set) >> + no_device_given_pppoatm(); >> +- fd =3D socket(AF_ATMPVC, SOCK_DGRAM, 0); >> ++ fd =3D socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> + if (fd < 0) >> + fatal("failed to create socket: %m"); >> + memset(&qos, 0, sizeof qos); >> +diff -Naur pppd.orig/plugins/pppoe/if.c pppd/plugins/pppoe/if.c >> +--- pppd.orig/plugins/pppoe/if.c 2022-12-30 02:12:39.000000000 +0100 >> ++++ pppd/plugins/pppoe/if.c 2023-06-30 13:24:11.372183452 +0200 >> +@@ -116,7 +116,7 @@ >> + stype =3D SOCK_PACKET; >> + #endif >> + >> +- if ((fd =3D socket(domain, stype, htons(type))) < 0) { >> ++ if ((fd =3D socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { >> + /* Give a more helpful message for the common error case */ >> + if (errno =3D=3D EPERM) { >> + fatal("Cannot create raw socket -- pppoe must be run as root."); >> +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c >> +--- pppd.orig/plugins/pppoe/plugin.c 2023-03-25 05:38:30.000000000 +0100 >> ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200 >> +@@ -155,7 +155,7 @@ >> + /* server equipment). = */ >> + /* Opening this socket just before waitForPADS in the discovery() = */ >> + /* function would be more appropriate, but it would mess-up the code= */ >> +- conn->sessionSocket =3D socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE); >> ++ conn->sessionSocket =3D socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC,= PX_PROTO_OE); >> + if (conn->sessionSocket < 0) { >> + error("Failed to create PPPoE socket: %m"); >> + return -1; >> +@@ -166,7 +166,7 @@ >> + lcp_wantoptions[0].mru =3D conn->mru =3D conn->storedmru; >> + >> + /* Update maximum MRU */ >> +- s =3D socket(AF_INET, SOCK_DGRAM, 0); >> ++ s =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> + if (s < 0) { >> + error("Can't get MTU for %s: %m", conn->ifName); >> + goto errout; >> +@@ -364,7 +364,7 @@ >> + } >> + >> + /* Open a socket */ >> +- if ((fd =3D socket(PF_PACKET, SOCK_RAW, 0)) < 0) { >> ++ if ((fd =3D socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) { >> + r =3D 0; >> + } >> + >> +diff -Naur pppd.orig/plugins/pppol2tp/openl2tp.c pppd/plugins/pppol2tp/op= enl2tp.c >> +--- pppd.orig/plugins/pppol2tp/openl2tp.c 2023-03-10 02:50:41.000000000 += 0100 >> ++++ pppd/plugins/pppol2tp/openl2tp.c 2023-06-30 13:22:30.055768865 +0200 >> +@@ -93,7 +93,7 @@ >> + int result; >> + >> + if (openl2tp_fd < 0) { >> +- openl2tp_fd =3D socket(PF_UNIX, SOCK_DGRAM, 0); >> ++ openl2tp_fd =3D socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> + if (openl2tp_fd < 0) { >> + error("openl2tp connection create: %m"); >> + return -ENOTCONN; >> +diff -Naur pppd.orig/plugins/pppol2tp/pppol2tp.c pppd/plugins/pppol2tp/pp= pol2tp.c >> +--- pppd.orig/plugins/pppol2tp/pppol2tp.c 2022-12-30 02:12:39.000000000 += 0100 >> ++++ pppd/plugins/pppol2tp/pppol2tp.c 2023-06-30 13:23:13.493756755 +0200 >> +@@ -220,7 +220,7 @@ >> + struct ifreq ifr; >> + int fd; >> + >> +- fd =3D socket(AF_INET, SOCK_DGRAM, 0); >> ++ fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> + if (fd >=3D 0) { >> + memset (&ifr, '\0', sizeof (ifr)); >> + ppp_get_ifname(ifr.ifr_name, sizeof(ifr.ifr_name)); >> +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c >> +--- pppd.orig/sys-linux.c 2023-06-30 13:11:25.715511251 +0200 >> ++++ pppd/sys-linux.c 2023-06-30 13:32:50.021272249 +0200 >> +@@ -499,12 +499,12 @@ >> + void sys_init(void) >> + { >> + /* Get an internet socket for doing socket ioctls. */ >> +- sock_fd =3D socket(AF_INET, SOCK_DGRAM, 0); >> ++ sock_fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> + if (sock_fd < 0) >> + fatal("Couldn't create IP socket: %m(%d)", errno); >> + >> + #ifdef PPP_WITH_IPV6CP >> +- sock6_fd =3D socket(AF_INET6, SOCK_DGRAM, 0); >> ++ sock6_fd =3D socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> + if (sock6_fd < 0) >> + sock6_fd =3D -errno; /* save errno for later */ >> + #endif >> +@@ -2675,7 +2675,7 @@ >> + struct ifreq ifreq; >> + int ret, sock_fd; >> + >> +- sock_fd =3D socket(AF_INET, SOCK_DGRAM, 0); >> ++ sock_fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> + if (sock_fd < 0) >> + return -1; >> + memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); >> +@@ -2698,7 +2698,7 @@ >> + struct ifreq ifreq; >> + int ret, sock_fd; >> + >> +- sock_fd =3D socket(AF_INET, SOCK_DGRAM, 0); >> ++ sock_fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> + if (sock_fd < 0) >> + return -1; >> + >> +@@ -2915,7 +2915,7 @@ >> + /* >> + * Open a socket for doing the ioctl operations. >> + */ >> +- s =3D socket(AF_INET, SOCK_DGRAM, 0); >> ++ s =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); >> + if (s < 0) >> + return 0; >> + >> +diff -Naur pppd.orig/tty.c pppd/tty.c >> +--- pppd.orig/tty.c 2023-06-30 13:14:06.450418113 +0200 >> ++++ pppd/tty.c 2023-06-30 13:33:31.285858278 +0200 >> +@@ -942,7 +942,7 @@ >> + *sep =3D ':'; >> + >> + /* get a socket and connect it to the other end */ >> +- sock =3D socket(PF_INET, SOCK_STREAM, 0); >> ++ sock =3D socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); >> + if (sock < 0) { >> + error("Can't create socket: %m"); >> + return -1; >> diff --git a/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch = b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch >> new file mode 100644 >> index 000000000..002b6066d >> --- /dev/null >> +++ b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch >> @@ -0,0 +1,12 @@ >> +diff -Naur pppd.orig/plugins/pppoe/pppoe.h pppd/plugins/pppoe/pppoe.h >> +--- pppd.orig/plugins/pppoe/pppoe.h 2022-12-30 02:12:39.000000000 +0100 >> ++++ pppd/plugins/pppoe/pppoe.h 2023-06-30 13:37:07.189078090 +0200 >> +@@ -143,7 +143,7 @@ >> + #define STATE_TERMINATED 4 >> + >> + /* How many PADI/PADS attempts? */ >> +-#define MAX_PADI_ATTEMPTS 3 >> ++#define MAX_PADI_ATTEMPTS 4 >> + >> + /* Initial timeout for PADO/PADS */ >> + #define PADI_TIMEOUT 5 >> diff --git a/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch b/src/patches/p= pp/ppp-2.5.0-5-headers_4.9.patch >> new file mode 100644 >> index 000000000..dc6c22852 >> --- /dev/null >> +++ b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch >> @@ -0,0 +1,12 @@ >> +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c >> +--- pppd.orig/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200 >> ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:50:23.150026201 +0200 >> +@@ -46,6 +46,8 @@ >> + #include >> + #include >> + #include >> ++#define _LINUX_IN_H >> ++#define _LINUX_IN6_H >> + #include >> + >> + #include >> diff --git a/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-= properly.patch b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags= -properly.patch >> new file mode 100644 >> index 000000000..0e9eab6ed >> --- /dev/null >> +++ b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properl= y.patch >> @@ -0,0 +1,18 @@ >> +diff -Naur ppp-2.5.0.orig/configure ppp-2.5.0/configure >> +--- ppp-2.5.0.orig/configure 2023-03-25 05:38:36.000000000 +0100 >> ++++ ppp-2.5.0/configure 2023-06-30 14:05:14.773950477 +0200 >> +@@ -17774,10 +17774,10 @@ >> + rm -f $2 >> + if [ -f $1 ]; then >> + echo " $2 <=3D $1" >> +- sed -e "s,@DESTDIR@,$prefix,g" \ >> +- -e "s,@SYSCONF@,$sysconfdir,g" \ >> +- -e "s,@CC@,$CC,g" \ >> +- -e "s|@CFLAGS@|$CFLAGS|g" $1 > $2 >> ++ sed -e "s#@DESTDIR@#$prefix#g" \ >> ++ -e "s#@SYSCONF@#$sysconfdir#g" \ >> ++ -e "s#@CC@#$CC#g" \ >> ++ -e "s#@CFLAGS@#$CFLAGS#g" $1 > $2 >> + fi >> + } >> + >> --=20 >> 2.41.0 >> >=20 --=20 Sent from my laptop --===============6794601345844445168==--