From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] ppp: Fixes bug#13164 - Update to version 2.5.0 Date: Mon, 03 Jul 2023 15:11:19 +0100 Message-ID: In-Reply-To: <20230702095432.3804-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1774459935448269762==" List-Id: --===============1774459935448269762== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Adolf, This might be a tricky version update... > On 2 Jul 2023, at 10:54, Adolf Belka wrote: >=20 > - Update from version 2.4.9 to 2.5.0 > This includes breaking changes for third-party plugins but as far as I ca= n see IPFire > is not using any third party plugins No, we should no longer build the Roaring Penguin PPPoE plugin from their sou= rce, but use the included one. > - Update of rootfile > - Update of patches and sed commands > - pcap-int.h and if_pppol2tp.h files have not been in source file since a= t least 2014 > - Some of the patches required updates as additional lines needing to be = patched are > now present. nThis was related to the O_CLOEXEC & SOCK_CLOEXEC related= patches Yes, these can go. We should be able to rely on upstream to build this for mo= dern OSes. > - connect-errors file location is now defined by a configure command --wi= th-logfile-dir > - install-etcppp is no longer provided. However the install command in this= version still > has the same files available in /etc/ppp as previously. There is a new fi= le, > openssl.cnf, which I have commented out. If it is required in future it c= an always be > uncommented in future releases. > - Build went without any problems with the updated patches. > - I cannot test this as I don't use ppp, however the original bug reporter = has agreed to > test this out when it is released into Testing unless anyone else is capa= ble of testing > it. So, we didn=E2=80=99t have any issues with this in the past, but however, if = we break this, then people won=E2=80=99t have an Internet connection any more= to download any fixes. So let=E2=80=99s please make sure that we give this a= ll extra attention and this won=E2=80=99t happen. Sadly, I don=E2=80=99t have a PPP connection either. Reviewed-by: Michael Tremer > - Changelog > What's new in ppp-2.5.0. > The 2.5.0 release is a major release of pppd which contains breaking > changes for third-party plugins, a complete revamp of the build-system > and that allows for flexibility of configuring features as needed. > In Summary: > * Support for PEAP authentication by Eivind N=C3=A6ss and Rustam Kovhaev > * Support for loading PKCS12 certificate envelopes > * Adoption of GNU Autoconf / Automake build environment, by Eivind N=C3=A6ss > and others. > * Support for pkgconfig tool has been added by Eivind N=C3=A6ss. > * Bunch of fixes and cleanup to PPPoE and IPv6 support by Pali Roh=C3=A1r. > * Major revision to PPPD's Plugin API by Eivind N=C3=A6ss. > - Defines in which describes what features was included in pppd > - Functions now prefixed with explicit ppp_* to indicate that > pppd functions being called. > - Header files were renamed to better align with their features, > and now use proper include guards > - A pppdconf.h file is supplied to allow third-party modules to use > the same feature defines pppd was compiled with. > - No extern declarations of internal variable names of pppd, > continued use of these extern variables are considered > unstable. > * Lots of internal fixes and cleanups for Radius and PPPoE by Jaco Kroon > * Dropped IPX support, as Linux has dropped support in version 5.15 > for this protocol. > * Many more fixes and cleanups. > * Pppd is no longer installed setuid-root. CAP_NET_ADMIN should be sufficient. We will however still run pppd as root on= ly. > * New pppd options: > - ipv6cp-noremote, ipv6cp-nosend, ipv6cp-use-remotenumber, > ipv6-up-script, ipv6-down-script > - -v, show-options > - usepeerwins, ipcp-no-address, ipcp-no-addresses, nosendip > * On Linux, any baud rate can be set on a serial port provided the > kernel serial driver supports that. > Note that if you have built and installed previous versions of this > package and you want to continue having configuration and TDB files in > /etc/ppp, you will need to use the --sysconfdir option to ./configure. > For a list of the changes made during the 2.4 series releases of this > package, see the Changes-2.4 file. > Compression methods. > This package supports two packet compression methods: Deflate and > BSD-Compress. Other compression methods which are in common use > include Predictor, LZS, and MPPC. These methods are not supported for > two reasons - they are patent-encumbered, and they cause some packets > to expand slightly, which pppd doesn't currently allow for. > BSD-Compress and Deflate (which uses the same algorithm as gzip) don't > ever expand packets. -Michael > Fixes: bug#13164 > Signed-off-by: Adolf Belka > --- > config/rootfiles/common/ppp | 58 +++--- > lfs/ppp | 28 +-- > ...se-SOCK_CLOEXEC-when-creating-socket.patch | 165 ------------------ > ...ppp-2.4.6-increase-max-padi-attempts.patch | 13 -- > src/patches/ppp/ppp-2.4.7-headers_4.9.patch | 12 -- > ...-configure-to-handle-cflags-properly.patch | 15 -- > ...don-t-want-to-accidentally-leak-fds.patch} | 115 +++++++----- > ...2.5.0-2-everywhere-O_CLOEXEC-harder.patch} | 136 ++++++--------- > ...se-SOCK_CLOEXEC-when-creating-socket.patch | 135 ++++++++++++++ > ...p-2.5.0-4-increase-max-padi-attempts.patch | 12 ++ > src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch | 12 ++ > ...-configure-to-handle-cflags-properly.patch | 18 ++ > 12 files changed, 344 insertions(+), 375 deletions(-) > delete mode 100644 src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-cr= eating-socket.patch > delete mode 100644 src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.pat= ch > delete mode 100644 src/patches/ppp/ppp-2.4.7-headers_4.9.patch > delete mode 100644 src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cfla= gs-properly.patch > rename src/patches/ppp/{0012-pppd-we-don-t-want-to-accidentally-leak-fds.pa= tch =3D> ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch} (54%) > rename src/patches/ppp/{0013-everywhere-O_CLOEXEC-harder.patch =3D> ppp-2.5= .0-2-everywhere-O_CLOEXEC-harder.patch} (63%) > create mode 100644 src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-= when-creating-socket.patch > create mode 100644 src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.p= atch > create mode 100644 src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch > create mode 100644 src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cf= lags-properly.patch >=20 > diff --git a/config/rootfiles/common/ppp b/config/rootfiles/common/ppp > index d61fdf811..6098fa7c3 100644 > --- a/config/rootfiles/common/ppp > +++ b/config/rootfiles/common/ppp > @@ -7,49 +7,57 @@ etc/ppp/dialer > etc/ppp/ioptions > etc/ppp/ip-down > etc/ppp/ip-up > +#etc/ppp/openssl.cnf > etc/ppp/options > etc/ppp/pap-secrets > etc/ppp/standardloginscript > #usr/include/pppd > +#usr/include/pppd/cbcp.h > #usr/include/pppd/ccp.h > -#usr/include/pppd/chap-new.h > +#usr/include/pppd/chap.h > #usr/include/pppd/chap_ms.h > -#usr/include/pppd/eap-tls.h > +#usr/include/pppd/crypto.h > +#usr/include/pppd/crypto_ms.h > #usr/include/pppd/eap.h > #usr/include/pppd/ecp.h > #usr/include/pppd/eui64.h > #usr/include/pppd/fsm.h > #usr/include/pppd/ipcp.h > #usr/include/pppd/ipv6cp.h > -#usr/include/pppd/ipxcp.h > #usr/include/pppd/lcp.h > #usr/include/pppd/magic.h > -#usr/include/pppd/md4.h > -#usr/include/pppd/md5.h > #usr/include/pppd/mppe.h > -#usr/include/pppd/patchlevel.h > -#usr/include/pppd/pathnames.h > -#usr/include/pppd/pppcrypt.h > +#usr/include/pppd/multilink.h > +#usr/include/pppd/options.h > #usr/include/pppd/pppd.h > +#usr/include/pppd/pppdconf.h > #usr/include/pppd/session.h > -#usr/include/pppd/sha1.h > -#usr/include/pppd/spinlock.h > -#usr/include/pppd/tdb.h > #usr/include/pppd/upap.h > +#usr/lib/pkgconfig/pppd.pc > usr/lib/pppd > -usr/lib/pppd/2.4.9 > -usr/lib/pppd/2.4.9/minconn.so > -usr/lib/pppd/2.4.9/openl2tp.so > -usr/lib/pppd/2.4.9/passprompt.so > -usr/lib/pppd/2.4.9/passwordfd.so > -usr/lib/pppd/2.4.9/pppoatm.so > -usr/lib/pppd/2.4.9/pppoe.so > -usr/lib/pppd/2.4.9/pppol2tp.so > -usr/lib/pppd/2.4.9/radattr.so > -usr/lib/pppd/2.4.9/radius.so > -usr/lib/pppd/2.4.9/radrealms.so > -usr/lib/pppd/2.4.9/rp-pppoe.so > -usr/lib/pppd/2.4.9/winbind.so > +usr/lib/pppd/2.5.0 > +#usr/lib/pppd/2.5.0/minconn.la > +usr/lib/pppd/2.5.0/minconn.so > +#usr/lib/pppd/2.5.0/openl2tp.la > +usr/lib/pppd/2.5.0/openl2tp.so > +#usr/lib/pppd/2.5.0/passprompt.la > +usr/lib/pppd/2.5.0/passprompt.so > +#usr/lib/pppd/2.5.0/passwordfd.la > +usr/lib/pppd/2.5.0/passwordfd.so > +#usr/lib/pppd/2.5.0/pppoatm.la > +usr/lib/pppd/2.5.0/pppoatm.so > +#usr/lib/pppd/2.5.0/pppoe.la > +usr/lib/pppd/2.5.0/pppoe.so > +#usr/lib/pppd/2.5.0/pppol2tp.la > +usr/lib/pppd/2.5.0/pppol2tp.so > +#usr/lib/pppd/2.5.0/radattr.la > +usr/lib/pppd/2.5.0/radattr.so > +#usr/lib/pppd/2.5.0/radius.la > +usr/lib/pppd/2.5.0/radius.so > +#usr/lib/pppd/2.5.0/radrealms.la > +usr/lib/pppd/2.5.0/radrealms.so > +#usr/lib/pppd/2.5.0/winbind.la > +usr/lib/pppd/2.5.0/winbind.so > usr/sbin/chat > usr/sbin/pppd > usr/sbin/pppdump > @@ -60,5 +68,7 @@ usr/sbin/pppstats > #usr/share/man/man8/pppd-radius.8 > #usr/share/man/man8/pppd.8 > #usr/share/man/man8/pppdump.8 > +#usr/share/man/man8/pppoe-discovery.8 > #usr/share/man/man8/pppstats.8 > var/log/connect-errors > + > diff --git a/lfs/ppp b/lfs/ppp > index fb46d8aac..fc4528ece 100644 > --- a/lfs/ppp > +++ b/lfs/ppp > @@ -1,7 +1,7 @@ > ###########################################################################= #### > # = # > # IPFire.org - A linux based firewall = # > -# Copyright (C) 2007-2021 IPFire Team = # > +# Copyright (C) 2007-2023 IPFire Team = # > # = # > # This program is free software: you can redistribute it and/or modify = # > # it under the terms of the GNU General Public License as published by = # > @@ -24,7 +24,7 @@ >=20 > include Config >=20 > -VER =3D 2.4.9 > +VER =3D 2.5.0 >=20 > THISAPP =3D ppp-$(VER) > DL_FILE =3D $(THISAPP).tar.gz > @@ -42,7 +42,7 @@ objects =3D $(DL_FILE) >=20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >=20 > -$(DL_FILE)_BLAKE2 =3D 2cc885c32b7d33dc48766097f1f4c9cd0754924a8c0630ccaa58= b2989e6b43a197ca0d41f5f16956c395278a12023d490e085f5635e23b53c5603ba61cfc40d5 > +$(DL_FILE)_BLAKE2 =3D 6a0e9efcbff3cb499705071cc7d0e3411cf4871fd53b2bfedbb1= f2cf3ad80728eb436050cf33b78e36d473be64f15907a21da17f283337455f0af379bc18272d >=20 > install : $(TARGET) >=20 > @@ -72,18 +72,20 @@ $(subst %,%_BLAKE2,$(objects)) : > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > - cd $(DIR_APP) && rm -f include/pcap-int.h include/linux/if_pppol2tp.h > - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0012-pppd-we-do= n-t-want-to-accidentally-leak-fds.patch > - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0013-everywhere= -O_CLOEXEC-harder.patch > - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/0014-everywhere= -use-SOCK_CLOEXEC-when-creating-socket.patch > - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.6-incre= ase-max-padi-attempts.patch > - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.7-heade= rs_4.9.patch > - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.4.9-patch= -configure-to-handle-cflags-properly.patch > - cd $(DIR_APP) && sed -i -e "s+/etc/ppp/connect-errors+/var/log/connect-er= rors+" pppd/pathnames.h > - cd $(DIR_APP) && ./configure --prefix=3D/usr --cc=3D"gcc" --cflags=3D"$(C= FLAGS)" --disable-nls > + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-1-we-= don-t-want-to-accidentally-leak-fds.patch > + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-2-eve= rywhere-O_CLOEXEC-harder.patch > + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-3-eve= rywhere-use-SOCK_CLOEXEC-when-creating-socket.patch > + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-4-inc= rease-max-padi-attempts.patch > + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-5-hea= ders_4.9.patch > + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-6-pat= ch-configure-to-handle-cflags-properly.patch > + cd $(DIR_APP) && ./configure \ > + --prefix=3D/usr \ > + --sysconfdir=3D/etc \ > + --with-logfile-dir=3D/var/log \ > + cc=3D"gcc" \ > + cflags=3D"$(CFLAGS)" > cd $(DIR_APP) && make $(MAKETUNING) > cd $(DIR_APP) && make install > - cd $(DIR_APP) && make install-etcppp > touch /var/log/connect-errors > -mkdir -p /etc/ppp > for i in $(DIR_SRC)/src/ppp/* ; do \ > diff --git a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating= -socket.patch b/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creatin= g-socket.patch > deleted file mode 100644 > index fffda981d..000000000 > --- a/src/patches/ppp/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket= .patch > +++ /dev/null > @@ -1,165 +0,0 @@ > -From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001 > -From: Michal Sekletar > -Date: Mon, 7 Apr 2014 14:21:41 +0200 > -Subject: [PATCH 14/25] everywhere: use SOCK_CLOEXEC when creating socket > - > ---- > - pppd/plugins/pppoatm/pppoatm.c | 2 +- > - pppd/plugins/pppol2tp/openl2tp.c | 2 +- > - pppd/plugins/pppol2tp/pppol2tp.c | 2 +- > - pppd/plugins/pppoe/if.c | 2 +- > - pppd/plugins/pppoe/plugin.c | 6 +++--- > - pppd/plugins/pppoe/pppoe-discovery.c | 2 +- > - pppd/sys-linux.c | 10 +++++----- > - pppd/tty.c | 2 +- > - 8 files changed, 14 insertions(+), 14 deletions(-) > - > -diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm= .c > -index d693350..c31bb34 100644 > ---- a/pppd/plugins/pppoatm/pppoatm.c > -+++ b/pppd/plugins/pppoatm/pppoatm.c > -@@ -135,7 +135,7 @@ static int connect_pppoatm(void) > -=20 > - if (!device_got_set) > - no_device_given_pppoatm(); > -- fd =3D socket(AF_ATMPVC, SOCK_DGRAM, 0); > -+ fd =3D socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0); > - if (fd < 0) > - fatal("failed to create socket: %m"); > - memset(&qos, 0, sizeof qos); > -diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/open= l2tp.c > -index 9643b96..1099575 100644 > ---- a/pppd/plugins/pppol2tp/openl2tp.c > -+++ b/pppd/plugins/pppol2tp/openl2tp.c > -@@ -83,7 +83,7 @@ static int openl2tp_client_create(void) > - int result; > -=20 > - if (openl2tp_fd < 0) { > -- openl2tp_fd =3D socket(PF_UNIX, SOCK_DGRAM, 0); > -+ openl2tp_fd =3D socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); > - if (openl2tp_fd < 0) { > - error("openl2tp connection create: %m"); > - return -ENOTCONN; > -diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppo= l2tp.c > -index a7e3400..e64a778 100644 > ---- a/pppd/plugins/pppol2tp/pppol2tp.c > -+++ b/pppd/plugins/pppol2tp/pppol2tp.c > -@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu, > - struct ifreq ifr; > - int fd; > -=20 > -- fd =3D socket(AF_INET, SOCK_DGRAM, 0); > -+ fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > - if (fd >=3D 0) { > - memset (&ifr, '\0', sizeof (ifr)); > - strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); > -diff --git a/pppd/plugins/pppoe/if.c b/pppd/plugins/pppoe/if.c > -index 91e9a57..72aba41 100644 > ---- a/pppd/plugins/pppoe/if.c > -+++ b/pppd/plugins/pppoe/if.c > -@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsig= ned char *hwaddr) > - stype =3D SOCK_PACKET; > - #endif > -=20 > -- if ((fd =3D socket(domain, stype, htons(type))) < 0) { > -+ if ((fd =3D socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { > - /* Give a more helpful message for the common error case */ > - if (errno =3D=3D EPERM) { > - fatal("Cannot create raw socket -- pppoe must be run as root."); > -diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c > -index a8c2bb4..24bdf8f 100644 > ---- a/pppd/plugins/pppoe/plugin.c > -+++ b/pppd/plugins/pppoe/plugin.c > -@@ -137,7 +137,7 @@ PPPOEConnectDevice(void) > - /* server equipment). = */ > - /* Opening this socket just before waitForPADS in the discovery() = */ > - /* function would be more appropriate, but it would mess-up the code = */ > -- conn->sessionSocket =3D socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE); > -+ conn->sessionSocket =3D socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, = PX_PROTO_OE); > - if (conn->sessionSocket < 0) { > - error("Failed to create PPPoE socket: %m"); > - return -1; > -@@ -148,7 +148,7 @@ PPPOEConnectDevice(void) > - lcp_wantoptions[0].mru =3D conn->mru; > -=20 > - /* Update maximum MRU */ > -- s =3D socket(AF_INET, SOCK_DGRAM, 0); > -+ s =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > - if (s < 0) { > - error("Can't get MTU for %s: %m", conn->ifName); > - goto errout; > -@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) > - } > -=20 > - /* Open a socket */ > -- if ((fd =3D socket(PF_PACKET, SOCK_RAW, 0)) < 0) { > -+ if ((fd =3D socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) { > - r =3D 0; > - } > -=20 > -diff --git a/pppd/plugins/pppoe/pppoe-discovery.c b/pppd/plugins/pppoe/ppp= oe-discovery.c > -index 3d3bf4e..c0d927d 100644 > ---- a/pppd/plugins/pppoe/pppoe-discovery.c > -+++ b/pppd/plugins/pppoe/pppoe-discovery.c > -@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsig= ned char *hwaddr) > - stype =3D SOCK_PACKET; > - #endif > -=20 > -- if ((fd =3D socket(domain, stype, htons(type))) < 0) { > -+ if ((fd =3D socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { > - /* Give a more helpful message for the common error case */ > - if (errno =3D=3D EPERM) { > - rp_fatal("Cannot create raw socket -- pppoe must be run as root."); > -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c > -index 00a2cf5..0690019 100644 > ---- a/pppd/sys-linux.c > -+++ b/pppd/sys-linux.c > -@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int = set_bits) > - void sys_init(void) > - { > - /* Get an internet socket for doing socket ioctls. */ > -- sock_fd =3D socket(AF_INET, SOCK_DGRAM, 0); > -+ sock_fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > - if (sock_fd < 0) > - fatal("Couldn't create IP socket: %m(%d)", errno); > -=20 > - #ifdef INET6 > -- sock6_fd =3D socket(AF_INET6, SOCK_DGRAM, 0); > -+ sock6_fd =3D socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); > - if (sock6_fd < 0) > - sock6_fd =3D -errno; /* save errno for later */ > - #endif > -@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name) > - struct ifreq ifreq; > - int ret, sock_fd; > -=20 > -- sock_fd =3D socket(AF_INET, SOCK_DGRAM, 0); > -+ sock_fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > - if (sock_fd < 0) > - return 0; > - memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); > -@@ -2067,7 +2067,7 @@ int ppp_available(void) > - /* > - * Open a socket for doing the ioctl operations. > - */ > -- s =3D socket(AF_INET, SOCK_DGRAM, 0); > -+ s =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > - if (s < 0) > - return 0; > -=20 > -diff --git a/pppd/tty.c b/pppd/tty.c > -index bc96695..8e76a5d 100644 > ---- a/pppd/tty.c > -+++ b/pppd/tty.c > -@@ -896,7 +896,7 @@ open_socket(dest) > - *sep =3D ':'; > -=20 > - /* get a socket and connect it to the other end */ > -- sock =3D socket(PF_INET, SOCK_STREAM, 0); > -+ sock =3D socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); > - if (sock < 0) { > - error("Can't create socket: %m"); > - return -1; > ---=20 > -1.8.3.1 > - > diff --git a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch b/s= rc/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch > deleted file mode 100644 > index 1b36e8369..000000000 > --- a/src/patches/ppp/ppp-2.4.6-increase-max-padi-attempts.patch > +++ /dev/null > @@ -1,13 +0,0 @@ > -diff --git a/pppd/plugins/pppoe/pppoe.h b/pppd/plugins/pppoe/pppoe.h > -index 9ab2eee..86762bd 100644 > ---- a/pppd/plugins/pppoe/pppoe.h > -+++ b/pppd/plugins/pppoe/pppoe.h > -@@ -148,7 +148,7 @@ extern UINT16_t Eth_PPPOE_Session; > - #define STATE_TERMINATED 4 > -=20 > - /* How many PADI/PADS attempts? */ > --#define MAX_PADI_ATTEMPTS 3 > -+#define MAX_PADI_ATTEMPTS 4 > -=20 > - /* Initial timeout for PADO/PADS */ > - #define PADI_TIMEOUT 5 > diff --git a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch b/src/patches/ppp/= ppp-2.4.7-headers_4.9.patch > deleted file mode 100644 > index 686db9204..000000000 > --- a/src/patches/ppp/ppp-2.4.7-headers_4.9.patch > +++ /dev/null > @@ -1,12 +0,0 @@ > -diff -Naur ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c ppp-2.4.7/pppd/plugin= s/pppoe/plugin.c > ---- ppp-2.4.7.org/pppd/plugins/pppoe/plugin.c 2014-08-09 14:31:39.00000000= 0 +0200 > -+++ ppp-2.4.7/pppd/plugins/pppoe/plugin.c 2017-02-09 08:45:12.567493723 +0= 100 > -@@ -49,6 +49,8 @@ > - #include > - #include > - #include > -+#define _LINUX_IN_H > -+#define _LINUX_IN6_H > - #include > -=20 > - #ifndef _ROOT_PATH > diff --git a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-pro= perly.patch b/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-prop= erly.patch > deleted file mode 100644 > index b36ace192..000000000 > --- a/src/patches/ppp/ppp-2.4.9-patch-configure-to-handle-cflags-properly.p= atch > +++ /dev/null > @@ -1,15 +0,0 @@ > ---- ppp-2.4.9.orig/configure 2021-03-30 21:38:27.415735914 +0200 > -+++ ppp-2.4.9/configure 2021-04-01 19:10:48.632314447 +0200 > -@@ -121,9 +121,9 @@ > - rm -f $2 > - if [ -f $1 ]; then > - echo " $2 <=3D $1" > -- sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \ > -- -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \ > -- -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2 > -+ sed -e "s#@DESTDIR@#$DESTDIR#g" -e "s#@SYSCONF@#$SYSCONF#g" \ > -+ -e "s#@CROSS_COMPILE@#$CROSS_COMPILE#g" -e "s#@CC@#$CC#g" \ > -+ -e "s#@CFLAGS@#$CFLAGS#g" $1 >$2 > - fi > - } > -=20 > diff --git a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-f= ds.patch b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds= .patch > similarity index 54% > rename from src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fd= s.patch > rename to src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fd= s.patch > index 90bb2d161..98ab03119 100644 > --- a/src/patches/ppp/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch > +++ b/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.pa= tch > @@ -1,20 +1,8 @@ > -From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001 > -From: Michal Sekletar > -Date: Mon, 7 Apr 2014 12:23:36 +0200 > -Subject: [PATCH 12/25] pppd: we don't want to accidentally leak fds > - > ---- > - pppd/auth.c | 20 ++++++++++---------- > - pppd/options.c | 2 +- > - pppd/sys-linux.c | 4 ++-- > - 3 files changed, 13 insertions(+), 13 deletions(-) > - > -diff --git a/pppd/auth.c b/pppd/auth.c > -index 4271af6..9e957fa 100644 > ---- a/pppd/auth.c > -+++ b/pppd/auth.c > -@@ -428,7 +428,7 @@ setupapfile(argv) > - option_error("unable to reset uid before opening %s: %m", fname); > +diff -Naur pppd.orig/auth.c pppd/auth.c > +--- pppd.orig/auth.c 2023-03-25 05:38:30.000000000 +0100 > ++++ pppd/auth.c 2023-06-30 12:38:13.748482796 +0200 > +@@ -518,7 +518,7 @@ > + free(fname); > return 0; > } > - ufile =3D fopen(fname, "r"); > @@ -22,8 +10,8 @@ index 4271af6..9e957fa 100644 > if (seteuid(euid) =3D=3D -1) > fatal("unable to regain privileges: %m"); > if (ufile =3D=3D NULL) { > -@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdle= n, msg) > - filename =3D _PATH_UPAPFILE; > +@@ -1535,7 +1535,7 @@ > + filename =3D PPP_PATH_UPAPFILE; > addrs =3D opts =3D NULL; > ret =3D UPAP_AUTHNAK; > - f =3D fopen(filename, "r"); > @@ -31,52 +19,52 @@ index 4271af6..9e957fa 100644 > if (f =3D=3D NULL) { > error("Can't open PAP password file %s: %m", filename); >=20 > -@@ -1512,7 +1512,7 @@ null_login(unit) > +@@ -1635,7 +1635,7 @@ > if (ret <=3D 0) { > - filename =3D _PATH_UPAPFILE; > + filename =3D PPP_PATH_UPAPFILE; > addrs =3D NULL; > - f =3D fopen(filename, "r"); > + f =3D fopen(filename, "re"); > if (f =3D=3D NULL) > return 0; > check_access(f, filename); > -@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd) > +@@ -1681,7 +1681,7 @@ > } >=20 > - filename =3D _PATH_UPAPFILE; > + filename =3D PPP_PATH_UPAPFILE; > - f =3D fopen(filename, "r"); > + f =3D fopen(filename, "re"); > if (f =3D=3D NULL) > return 0; > check_access(f, filename); > -@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp) > +@@ -1718,7 +1718,7 @@ > } >=20 > - filename =3D _PATH_UPAPFILE; > + filename =3D PPP_PATH_UPAPFILE; > - f =3D fopen(filename, "r"); > + f =3D fopen(filename, "re"); > if (f =3D=3D NULL) > return 0; >=20 > -@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp) > +@@ -1760,7 +1760,7 @@ > } >=20 > - filename =3D _PATH_CHAPFILE; > + filename =3D PPP_PATH_CHAPFILE; > - f =3D fopen(filename, "r"); > + f =3D fopen(filename, "re"); > if (f =3D=3D NULL) > return 0; >=20 > -@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) > +@@ -1798,7 +1798,7 @@ > struct wordlist *addrs; >=20 > - filename =3D _PATH_SRPFILE; > + filename =3D PPP_PATH_SRPFILE; > - f =3D fopen(filename, "r"); > + f =3D fopen(filename, "re"); > if (f =3D=3D NULL) > return 0; >=20 > -@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len,= am_server) > +@@ -1849,7 +1849,7 @@ > addrs =3D NULL; > secbuf[0] =3D 0; >=20 > @@ -85,8 +73,8 @@ index 4271af6..9e957fa 100644 > if (f =3D=3D NULL) { > error("Can't open chap secret file %s: %m", filename); > return 0; > -@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_serv= er) > - filename =3D _PATH_SRPFILE; > +@@ -1902,7 +1902,7 @@ > + filename =3D PPP_PATH_SRPFILE; > addrs =3D NULL; >=20 > - fp =3D fopen(filename, "r"); > @@ -94,7 +82,7 @@ index 4271af6..9e957fa 100644 > if (fp =3D=3D NULL) { > error("Can't open srp secret file %s: %m", filename); > return 0; > -@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts= , filename, flags) > +@@ -2291,7 +2291,7 @@ > */ > if (word[0] =3D=3D '@' && word[1] =3D=3D '/') { > strlcpy(atfile, word+1, sizeof(atfile)); > @@ -103,12 +91,38 @@ index 4271af6..9e957fa 100644 > warn("can't open indirect secret file %s", atfile); > continue; > } > -diff --git a/pppd/options.c b/pppd/options.c > -index 45fa742..1d754ae 100644 > ---- a/pppd/options.c > -+++ b/pppd/options.c > -@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, pr= iv) > - option_error("unable to drop privileges to open %s: %m", filename); > +@@ -2461,7 +2461,7 @@ > + char pkfile[MAXWORDLEN]; > +=20 > + filename =3D PPP_PATH_EAPTLSSERVFILE; > +- f =3D fopen(filename, "r"); > ++ f =3D fopen(filename, "re"); > + if (f =3D=3D NULL) > + return 0; > +=20 > +@@ -2518,7 +2518,7 @@ > + return 1; > +=20 > + filename =3D PPP_PATH_EAPTLSCLIFILE; > +- f =3D fopen(filename, "r"); > ++ f =3D fopen(filename, "re"); > + if (f =3D=3D NULL) > + return 0; > +=20 > +@@ -2738,7 +2738,7 @@ > + filename =3D (am_server ? PPP_PATH_EAPTLSSERVFILE : PPP_PATH_EAPTLSCLIFIL= E); > + addrs =3D NULL; > +=20 > +- fp =3D fopen(filename, "r"); > ++ fp =3D fopen(filename, "re"); > + if (fp =3D=3D NULL) > + { > + error("Can't open eap-tls secret file %s: %m", filename); > +diff -Naur pppd.orig/options.c pppd/options.c > +--- pppd.orig/options.c 2023-03-25 05:38:30.000000000 +0100 > ++++ pppd/options.c 2023-06-30 12:42:19.262593140 +0200 > +@@ -555,7 +555,7 @@ > + ppp_option_error("unable to drop privileges to open %s: %m", filename); > return 0; > } > - f =3D fopen(filename, "r"); > @@ -116,11 +130,10 @@ index 45fa742..1d754ae 100644 > err =3D errno; > if (check_prot && seteuid(euid) =3D=3D -1) > fatal("unable to regain privileges"); > -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c > -index 72a7727..8a12fa0 100644 > ---- a/pppd/sys-linux.c > -+++ b/pppd/sys-linux.c > -@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail) > +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c > +--- pppd.orig/sys-linux.c 2023-03-10 02:50:41.000000000 +0100 > ++++ pppd/sys-linux.c 2023-06-30 12:43:20.634453475 +0200 > +@@ -1978,7 +1978,7 @@ > /* Default the mount location of /proc */ > strlcpy (proc_path, "/proc", sizeof(proc_path)); > proc_path_len =3D 5; > @@ -129,7 +142,7 @@ index 72a7727..8a12fa0 100644 > if (fp !=3D NULL) { > while ((mntent =3D getmntent(fp)) !=3D NULL) { > if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) =3D=3D 0) > -@@ -1472,7 +1472,7 @@ static int open_route_table (void) > +@@ -2038,7 +2038,7 @@ > close_route_table(); >=20 > path =3D path_to_procfs("/net/route"); > @@ -138,6 +151,12 @@ index 72a7727..8a12fa0 100644 > if (route_fd =3D=3D NULL) { > error("can't open routing table %s: %m", path); > return 0; > ---=20 > -1.8.3.1 > - > +@@ -2322,7 +2322,7 @@ > + close_route_table(); > +=20 > + path =3D path_to_procfs("/net/ipv6_route"); > +- route_fd =3D fopen (path, "r"); > ++ route_fd =3D fopen (path, "re"); > + if (route_fd =3D=3D NULL) { > + error("can't open routing table %s: %m", path); > + return 0; > diff --git a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch b/src/p= atches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch > similarity index 63% > rename from src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch > rename to src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch > index 0fb028779..c205c0e08 100644 > --- a/src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch > +++ b/src/patches/ppp/ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch > @@ -1,23 +1,7 @@ > -From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001 > -From: Michal Sekletar > -Date: Mon, 7 Apr 2014 13:56:34 +0200 > -Subject: [PATCH 13/25] everywhere: O_CLOEXEC harder > - > ---- > - pppd/eap.c | 2 +- > - pppd/main.c | 4 ++-- > - pppd/options.c | 4 ++-- > - pppd/sys-linux.c | 22 +++++++++++----------- > - pppd/tdb.c | 4 ++-- > - pppd/tty.c | 4 ++-- > - pppd/utils.c | 6 +++--- > - 7 files changed, 23 insertions(+), 23 deletions(-) > - > -diff --git a/pppd/eap.c b/pppd/eap.c > -index 6ea6c1f..faced53 100644 > ---- a/pppd/eap.c > -+++ b/pppd/eap.c > -@@ -1226,7 +1226,7 @@ mode_t modebits; > +diff -Naur pppd.orig/eap.c pppd/eap.c > +--- pppd.orig/eap.c 2023-03-25 05:38:30.000000000 +0100 > ++++ pppd/eap.c 2023-06-30 12:58:07.984676045 +0200 > +@@ -1542,7 +1542,7 @@ >=20 > if ((path =3D name_of_pn_file()) =3D=3D NULL) > return (-1); > @@ -26,34 +10,23 @@ index 6ea6c1f..faced53 100644 > err =3D errno; > free(path); > errno =3D err; > -diff --git a/pppd/main.c b/pppd/main.c > -index 87a5d29..152e4a2 100644 > ---- a/pppd/main.c > -+++ b/pppd/main.c > -@@ -400,7 +400,7 @@ main(int argc, char *argv[]) > +diff -Naur pppd.orig/main.c pppd/main.c > +--- pppd.orig/main.c 2023-03-25 05:38:30.000000000 +0100 > ++++ pppd/main.c 2023-06-30 13:00:15.155195676 +0200 > +@@ -479,7 +479,7 @@ > die(0); >=20 > /* Make sure fds 0, 1, 2 are open to somewhere. */ > -- fd_devnull =3D open(_PATH_DEVNULL, O_RDWR); > -+ fd_devnull =3D open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC); > +- fd_devnull =3D open(PPP_DEVNULL, O_RDWR); > ++ fd_devnull =3D open(PPP_DEVNULL, O_RDWR | O_CLOEXEC); > if (fd_devnull < 0) > - fatal("Couldn't open %s: %m", _PATH_DEVNULL); > + fatal("Couldn't open %s: %m", PPP_DEVNULL); > while (fd_devnull <=3D 2) { > -@@ -1642,7 +1642,7 @@ device_script(char *program, int in, int out, int do= nt_wait) > - if (log_to_fd >=3D 0) > - errfd =3D log_to_fd; > - else > -- errfd =3D open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644); > -+ errfd =3D open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC= , 0644); > -=20 > - ++conn_running; > - pid =3D safe_fork(in, out, errfd); > -diff --git a/pppd/options.c b/pppd/options.c > -index 1d754ae..8e62635 100644 > ---- a/pppd/options.c > -+++ b/pppd/options.c > -@@ -1544,9 +1544,9 @@ setlogfile(argv) > - option_error("unable to drop permissions to open %s: %m", *argv); > +diff -Naur pppd.orig/options.c pppd/options.c > +--- pppd.orig/options.c 2023-06-30 12:42:19.262593140 +0200 > ++++ pppd/options.c 2023-06-30 13:01:58.388323345 +0200 > +@@ -1718,9 +1718,9 @@ > + ppp_option_error("unable to drop permissions to open %s: %m", *argv); > return 0; > } > - fd =3D open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644); > @@ -64,11 +37,10 @@ index 1d754ae..8e62635 100644 > err =3D errno; > if (!privileged_option && seteuid(euid) =3D=3D -1) > fatal("unable to regain privileges: %m"); > -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c > -index 8a12fa0..00a2cf5 100644 > ---- a/pppd/sys-linux.c > -+++ b/pppd/sys-linux.c > -@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd) > +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c > +--- pppd.orig/sys-linux.c 2023-06-30 12:43:20.634453475 +0200 > ++++ pppd/sys-linux.c 2023-06-30 13:11:25.715511251 +0200 > +@@ -666,7 +666,7 @@ > goto err; > } > dbglog("using channel %d", chindex); > @@ -77,7 +49,7 @@ index 8a12fa0..00a2cf5 100644 > if (fd < 0) { > error("Couldn't reopen /dev/ppp: %m"); > goto err; > -@@ -619,7 +619,7 @@ static int make_ppp_unit() > +@@ -904,7 +904,7 @@ > dbglog("in make_ppp_unit, already had /dev/ppp open?"); > close(ppp_dev_fd); > } > @@ -86,7 +58,7 @@ index 8a12fa0..00a2cf5 100644 > if (ppp_dev_fd < 0) > fatal("Couldn't open /dev/ppp: %m"); > flags =3D fcntl(ppp_dev_fd, F_GETFL); > -@@ -693,7 +693,7 @@ int bundle_attach(int ifnum) > +@@ -1025,7 +1025,7 @@ > if (!new_style_driver) > return -1; >=20 > @@ -95,7 +67,7 @@ index 8a12fa0..00a2cf5 100644 > if (master_fd < 0) > fatal("Couldn't open /dev/ppp: %m"); > if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) { > -@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr) > +@@ -2533,7 +2533,7 @@ > if (tune_kernel) { > forw_path =3D path_to_procfs("/sys/net/ipv4/ip_forward"); > if (forw_path !=3D 0) { > @@ -104,7 +76,7 @@ index 8a12fa0..00a2cf5 100644 > if (fd >=3D 0) { > if (write(fd, "1", 1) !=3D 1) > error("Couldn't enable IP forwarding: %m"); > -@@ -2030,7 +2030,7 @@ int ppp_available(void) > +@@ -2878,7 +2878,7 @@ > sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch); > kernel_version =3D KVERSION(osmaj, osmin, ospatch); >=20 > @@ -113,7 +85,7 @@ index 8a12fa0..00a2cf5 100644 > if (fd >=3D 0) { > new_style_driver =3D 1; >=20 > -@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, co= nst char *host) > +@@ -3056,7 +3056,7 @@ > #if __GLIBC__ >=3D 2 > updwtmp(_PATH_WTMP, &ut); > #else > @@ -122,7 +94,7 @@ index 8a12fa0..00a2cf5 100644 > if (wtmp >=3D 0) { > flock(wtmp, LOCK_EX); >=20 > -@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t = his_adr, > +@@ -3280,7 +3280,7 @@ > int fd; >=20 > path =3D path_to_procfs("/sys/net/ipv4/ip_dynaddr"); > @@ -131,7 +103,7 @@ index 8a12fa0..00a2cf5 100644 > if (write(fd, "1", 1) !=3D 1) > error("Couldn't enable dynamic IP addressing: %m"); > close(fd); > -@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) > +@@ -3534,7 +3534,7 @@ > /* > * Try the unix98 way first. > */ > @@ -140,17 +112,17 @@ index 8a12fa0..00a2cf5 100644 > if (mfd >=3D 0) { > int ptn; > if (ioctl(mfd, TIOCGPTN, &ptn) >=3D 0) { > -@@ -2851,7 +2851,8 @@ > +@@ -3545,7 +3545,8 @@ > if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0) > warn("Couldn't unlock pty slave %s: %m", pty_name); > #endif > - if ((sfd =3D open(pty_name, O_RDWR | O_NOCTTY)) < 0) > + > -+ if ((sfd =3D open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) <= 0) > - { > ++ if ((sfd =3D open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) > + { > warn("Couldn't open pty slave %s: %m", pty_name); > - close(mfd); > -@@ -2865,10 +2866,10 @@ > + close(mfd); > +@@ -3559,10 +3560,10 @@ > for (i =3D 0; i < 64; ++i) { > slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x", > 'p' + i / 16, i % 16); > @@ -161,13 +133,12 @@ index 8a12fa0..00a2cf5 100644 > - sfd =3D open(pty_name, O_RDWR | O_NOCTTY, 0); > + sfd =3D open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0); > if (sfd >=3D 0) { > - fchown(sfd, uid, -1); > - fchmod(sfd, S_IRUSR | S_IWUSR); > -diff --git a/pppd/tdb.c b/pppd/tdb.c > -index bdc5828..c7ab71c 100644 > ---- a/pppd/tdb.c > -+++ b/pppd/tdb.c > -@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_= size, int tdb_flags, > + ret =3D fchown(sfd, uid, -1); > + if (ret !=3D 0) { > +diff -Naur pppd.orig/tdb.c pppd/tdb.c > +--- pppd.orig/tdb.c 2021-07-23 06:41:07.000000000 +0200 > ++++ pppd/tdb.c 2023-06-30 13:12:55.034900600 +0200 > +@@ -1728,7 +1728,7 @@ > goto internal; > } >=20 > @@ -176,7 +147,7 @@ index bdc5828..c7ab71c 100644 > TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n", > name, strerror(errno))); > goto fail; /* errno set by open(2) */ > -@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb) > +@@ -1971,7 +1971,7 @@ > } > if (close(tdb->fd) !=3D 0) > TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n")); > @@ -185,12 +156,11 @@ index bdc5828..c7ab71c 100644 > if (tdb->fd =3D=3D -1) { > TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno))); > goto fail; > -diff --git a/pppd/tty.c b/pppd/tty.c > -index d571b11..bc96695 100644 > ---- a/pppd/tty.c > -+++ b/pppd/tty.c > -@@ -569,7 +569,7 @@ int connect_tty() > - status =3D EXIT_OPEN_FAILED; > +diff -Naur pppd.orig/tty.c pppd/tty.c > +--- pppd.orig/tty.c 2023-03-25 05:38:30.000000000 +0100 > ++++ pppd/tty.c 2023-06-30 13:14:06.450418113 +0200 > +@@ -621,7 +621,7 @@ > + ppp_set_status(EXIT_OPEN_FAILED); > goto errret; > } > - real_ttyfd =3D open(devnam, O_NONBLOCK | O_RDWR, 0); > @@ -198,7 +168,7 @@ index d571b11..bc96695 100644 > err =3D errno; > if (prio < OPRIO_ROOT && seteuid(0) =3D=3D -1) > fatal("Unable to regain privileges"); > -@@ -723,7 +723,7 @@ int connect_tty() > +@@ -775,7 +775,7 @@ > if (connector =3D=3D NULL && modem && devnam[0] !=3D 0) { > int i; > for (;;) { > @@ -207,12 +177,11 @@ index d571b11..bc96695 100644 > break; > if (errno !=3D EINTR) { > error("Failed to reopen %s: %m", devnam); > -diff --git a/pppd/utils.c b/pppd/utils.c > -index 29bf970..6051b9a 100644 > ---- a/pppd/utils.c > -+++ b/pppd/utils.c > -@@ -918,14 +918,14 @@ lock(dev) > - slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev); > +diff -Naur pppd.orig/utils.c pppd/utils.c > +--- pppd.orig/utils.c 2022-12-30 02:12:39.000000000 +0100 > ++++ pppd/utils.c 2023-06-30 13:15:47.860182369 +0200 > +@@ -843,14 +843,14 @@ > + slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", PPP_PATH_LOCKDIR= , dev); > #endif >=20 > - while ((fd =3D open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) { > @@ -228,7 +197,7 @@ index 29bf970..6051b9a 100644 > if (fd < 0) { > if (errno =3D=3D ENOENT) /* This is just a timing problem. */ > continue; > -@@ -1004,7 +1004,7 @@ relock(pid) > +@@ -933,7 +933,7 @@ >=20 > if (lock_file[0] =3D=3D 0) > return -1; > @@ -237,6 +206,3 @@ index 29bf970..6051b9a 100644 > if (fd < 0) { > error("Couldn't reopen lock file %s: %m", lock_file); > lock_file[0] =3D 0; > ---=20 > -1.8.3.1 > - > diff --git a/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-c= reating-socket.patch b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXE= C-when-creating-socket.patch > new file mode 100644 > index 000000000..cfd72e468 > --- /dev/null > +++ b/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating= -socket.patch > @@ -0,0 +1,135 @@ > +diff -Naur pppd.orig/plugins/pppoatm/pppoatm.c pppd/plugins/pppoatm/pppoat= m.c > +--- pppd.orig/plugins/pppoatm/pppoatm.c 2023-03-25 05:38:30.000000000 +0100 > ++++ pppd/plugins/pppoatm/pppoatm.c 2023-06-30 13:21:33.397378347 +0200 > +@@ -146,7 +146,7 @@ > +=20 > + if (!device_got_set) > + no_device_given_pppoatm(); > +- fd =3D socket(AF_ATMPVC, SOCK_DGRAM, 0); > ++ fd =3D socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0); > + if (fd < 0) > + fatal("failed to create socket: %m"); > + memset(&qos, 0, sizeof qos); > +diff -Naur pppd.orig/plugins/pppoe/if.c pppd/plugins/pppoe/if.c > +--- pppd.orig/plugins/pppoe/if.c 2022-12-30 02:12:39.000000000 +0100 > ++++ pppd/plugins/pppoe/if.c 2023-06-30 13:24:11.372183452 +0200 > +@@ -116,7 +116,7 @@ > + stype =3D SOCK_PACKET; > + #endif > +=20 > +- if ((fd =3D socket(domain, stype, htons(type))) < 0) { > ++ if ((fd =3D socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { > + /* Give a more helpful message for the common error case */ > + if (errno =3D=3D EPERM) { > + fatal("Cannot create raw socket -- pppoe must be run as root."); > +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c > +--- pppd.orig/plugins/pppoe/plugin.c 2023-03-25 05:38:30.000000000 +0100 > ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200 > +@@ -155,7 +155,7 @@ > + /* server equipment). = */ > + /* Opening this socket just before waitForPADS in the discovery() = */ > + /* function would be more appropriate, but it would mess-up the code = */ > +- conn->sessionSocket =3D socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE); > ++ conn->sessionSocket =3D socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, = PX_PROTO_OE); > + if (conn->sessionSocket < 0) { > + error("Failed to create PPPoE socket: %m"); > + return -1; > +@@ -166,7 +166,7 @@ > + lcp_wantoptions[0].mru =3D conn->mru =3D conn->storedmru; > +=20 > + /* Update maximum MRU */ > +- s =3D socket(AF_INET, SOCK_DGRAM, 0); > ++ s =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > + if (s < 0) { > + error("Can't get MTU for %s: %m", conn->ifName); > + goto errout; > +@@ -364,7 +364,7 @@ > + } > +=20 > + /* Open a socket */ > +- if ((fd =3D socket(PF_PACKET, SOCK_RAW, 0)) < 0) { > ++ if ((fd =3D socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) { > + r =3D 0; > + } > +=20 > +diff -Naur pppd.orig/plugins/pppol2tp/openl2tp.c pppd/plugins/pppol2tp/ope= nl2tp.c > +--- pppd.orig/plugins/pppol2tp/openl2tp.c 2023-03-10 02:50:41.000000000 +0= 100 > ++++ pppd/plugins/pppol2tp/openl2tp.c 2023-06-30 13:22:30.055768865 +0200 > +@@ -93,7 +93,7 @@ > + int result; > +=20 > + if (openl2tp_fd < 0) { > +- openl2tp_fd =3D socket(PF_UNIX, SOCK_DGRAM, 0); > ++ openl2tp_fd =3D socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); > + if (openl2tp_fd < 0) { > + error("openl2tp connection create: %m"); > + return -ENOTCONN; > +diff -Naur pppd.orig/plugins/pppol2tp/pppol2tp.c pppd/plugins/pppol2tp/ppp= ol2tp.c > +--- pppd.orig/plugins/pppol2tp/pppol2tp.c 2022-12-30 02:12:39.000000000 +0= 100 > ++++ pppd/plugins/pppol2tp/pppol2tp.c 2023-06-30 13:23:13.493756755 +0200 > +@@ -220,7 +220,7 @@ > + struct ifreq ifr; > + int fd; > +=20 > +- fd =3D socket(AF_INET, SOCK_DGRAM, 0); > ++ fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > + if (fd >=3D 0) { > + memset (&ifr, '\0', sizeof (ifr)); > + ppp_get_ifname(ifr.ifr_name, sizeof(ifr.ifr_name)); > +diff -Naur pppd.orig/sys-linux.c pppd/sys-linux.c > +--- pppd.orig/sys-linux.c 2023-06-30 13:11:25.715511251 +0200 > ++++ pppd/sys-linux.c 2023-06-30 13:32:50.021272249 +0200 > +@@ -499,12 +499,12 @@ > + void sys_init(void) > + { > + /* Get an internet socket for doing socket ioctls. */ > +- sock_fd =3D socket(AF_INET, SOCK_DGRAM, 0); > ++ sock_fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > + if (sock_fd < 0) > + fatal("Couldn't create IP socket: %m(%d)", errno); > +=20 > + #ifdef PPP_WITH_IPV6CP > +- sock6_fd =3D socket(AF_INET6, SOCK_DGRAM, 0); > ++ sock6_fd =3D socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); > + if (sock6_fd < 0) > + sock6_fd =3D -errno; /* save errno for later */ > + #endif > +@@ -2675,7 +2675,7 @@ > + struct ifreq ifreq; > + int ret, sock_fd; > +=20 > +- sock_fd =3D socket(AF_INET, SOCK_DGRAM, 0); > ++ sock_fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > + if (sock_fd < 0) > + return -1; > + memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); > +@@ -2698,7 +2698,7 @@ > + struct ifreq ifreq; > + int ret, sock_fd; > +=20 > +- sock_fd =3D socket(AF_INET, SOCK_DGRAM, 0); > ++ sock_fd =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > + if (sock_fd < 0) > + return -1; > +=20 > +@@ -2915,7 +2915,7 @@ > + /* > + * Open a socket for doing the ioctl operations. > + */ > +- s =3D socket(AF_INET, SOCK_DGRAM, 0); > ++ s =3D socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); > + if (s < 0) > + return 0; > +=20 > +diff -Naur pppd.orig/tty.c pppd/tty.c > +--- pppd.orig/tty.c 2023-06-30 13:14:06.450418113 +0200 > ++++ pppd/tty.c 2023-06-30 13:33:31.285858278 +0200 > +@@ -942,7 +942,7 @@ > + *sep =3D ':'; > +=20 > + /* get a socket and connect it to the other end */ > +- sock =3D socket(PF_INET, SOCK_STREAM, 0); > ++ sock =3D socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); > + if (sock < 0) { > + error("Can't create socket: %m"); > + return -1; > diff --git a/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch b= /src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch > new file mode 100644 > index 000000000..002b6066d > --- /dev/null > +++ b/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch > @@ -0,0 +1,12 @@ > +diff -Naur pppd.orig/plugins/pppoe/pppoe.h pppd/plugins/pppoe/pppoe.h > +--- pppd.orig/plugins/pppoe/pppoe.h 2022-12-30 02:12:39.000000000 +0100 > ++++ pppd/plugins/pppoe/pppoe.h 2023-06-30 13:37:07.189078090 +0200 > +@@ -143,7 +143,7 @@ > + #define STATE_TERMINATED 4 > +=20 > + /* How many PADI/PADS attempts? */ > +-#define MAX_PADI_ATTEMPTS 3 > ++#define MAX_PADI_ATTEMPTS 4 > +=20 > + /* Initial timeout for PADO/PADS */ > + #define PADI_TIMEOUT 5 > diff --git a/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch b/src/patches/pp= p/ppp-2.5.0-5-headers_4.9.patch > new file mode 100644 > index 000000000..dc6c22852 > --- /dev/null > +++ b/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch > @@ -0,0 +1,12 @@ > +diff -Naur pppd.orig/plugins/pppoe/plugin.c pppd/plugins/pppoe/plugin.c > +--- pppd.orig/plugins/pppoe/plugin.c 2023-06-30 13:25:58.798782323 +0200 > ++++ pppd/plugins/pppoe/plugin.c 2023-06-30 13:50:23.150026201 +0200 > +@@ -46,6 +46,8 @@ > + #include > + #include > + #include > ++#define _LINUX_IN_H > ++#define _LINUX_IN6_H > + #include > +=20 > + #include > diff --git a/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-p= roperly.patch b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-= properly.patch > new file mode 100644 > index 000000000..0e9eab6ed > --- /dev/null > +++ b/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly= .patch > @@ -0,0 +1,18 @@ > +diff -Naur ppp-2.5.0.orig/configure ppp-2.5.0/configure > +--- ppp-2.5.0.orig/configure 2023-03-25 05:38:36.000000000 +0100 > ++++ ppp-2.5.0/configure 2023-06-30 14:05:14.773950477 +0200 > +@@ -17774,10 +17774,10 @@ > + rm -f $2 > + if [ -f $1 ]; then > + echo " $2 <=3D $1" > +- sed -e "s,@DESTDIR@,$prefix,g" \ > +- -e "s,@SYSCONF@,$sysconfdir,g" \ > +- -e "s,@CC@,$CC,g" \ > +- -e "s|@CFLAGS@|$CFLAGS|g" $1 > $2 > ++ sed -e "s#@DESTDIR@#$prefix#g" \ > ++ -e "s#@SYSCONF@#$sysconfdir#g" \ > ++ -e "s#@CC@#$CC#g" \ > ++ -e "s#@CFLAGS@#$CFLAGS#g" $1 > $2 > + fi > + } > +=20 > --=20 > 2.41.0 >=20 --===============1774459935448269762==--