Hi, > On 27 May 2019, at 21:26, Peter Müller wrote: > > Hello all, > > after testing too little in the past months, I am hereby > trying to catch up for announced Core Update 132. Cool! > > Most services are running as expected: > - IPsec > - OpenVPN (tested with RW connections only) > - DDNS > - Squid (non-transparent, including upstream proxy) > - Suricata (IPS mode, activated on all interfaces) > > Tor suffers from missing libseccomp dependency and a permission > bug (see #12088), but starts correctly after installing the > library and fixing /var/lib/tor permissions manually. > > I can confirm IDS rulesets download works in combination > with an upstream proxy now (tested with Emerging Threats). > > Suricata seems to drop some packets (as internal connections > sometimes take ages to establish), but does not log anything. > This requires some further investigation, and it is kind > of an evident-missing blame at the moment. Yes. I am aware of this and we have a ticket for it: https://bugzilla.ipfire.org/show_bug.cgi?id=12078 > > Talking about the all-new-and-improved Intel CPU vulnerabilities, > disabling SMT automatically seems to work: > >> [root(a)maverick ~]# grep . /sys/devices/system/cpu/vulnerabilities/* >> /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected >> /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT disabled >> /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI >> /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected >> /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization >> /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling You got a royal flush there. Almost hit them all. > (CPU is an Intel Celeron N3150 4x 1.60 GHz .) > > However, the new WebUI CGI is partly missing German translations, > and claims "Simultaneous Multi-Threading (SMT) is not supported". The > latter is confusing, as the system states the opposite. This is what we get from the kernel. > Talking about aesthetics, the CGI is a bit messy, but that > is not a functionality problem and might be fixed in an upcoming > update. Yes I know. I mentioned I did this as quickly as possible to make the release. Please send in patches :) -Michael > > Thanks, and best regards, > Peter Müller > -- > The road to Hades is easy to travel. > -- Bion of Borysthenes