Re: [PATCH] Clean up whatever remained from ALGs in userspace

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5733 bytes --]

Hello,

> On 2 Jun 2021, at 20:37, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> This patch removes translations, directives in LFS files, and ALG shared
> object files which all became orphaned after we disabled ALGs due to NAT
> Slipstreaming vulnerability in Core Update 155.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/rootfiles/common/conntrack-tools | 18 +++++++++---------
> config/rootfiles/core/158/update.sh     |  1 +
> langs/de/cgi-bin/de.pl                  |  1 -
> langs/en/cgi-bin/en.pl                  |  1 -
> langs/fr/cgi-bin/fr.pl                  |  1 -
> langs/tr/cgi-bin/tr.pl                  |  1 -
> lfs/configroot                          |  5 -----
> 7 files changed, 10 insertions(+), 18 deletions(-)
> 
> diff --git a/config/rootfiles/common/conntrack-tools b/config/rootfiles/common/conntrack-tools
> index 27161b1fb..b6632ec07 100644
> --- a/config/rootfiles/common/conntrack-tools
> +++ b/config/rootfiles/common/conntrack-tools
> @@ -1,24 +1,24 @@
> #usr/lib/conntrack-tools
> #usr/lib/conntrack-tools/ct_helper_amanda.la
> -usr/lib/conntrack-tools/ct_helper_amanda.so
> +#usr/lib/conntrack-tools/ct_helper_amanda.so
> #usr/lib/conntrack-tools/ct_helper_dhcpv6.la
> #usr/lib/conntrack-tools/ct_helper_dhcpv6.so
> #usr/lib/conntrack-tools/ct_helper_ftp.la
> -usr/lib/conntrack-tools/ct_helper_ftp.so
> +#usr/lib/conntrack-tools/ct_helper_ftp.so
> #usr/lib/conntrack-tools/ct_helper_mdns.la
> -usr/lib/conntrack-tools/ct_helper_mdns.so
> +#usr/lib/conntrack-tools/ct_helper_mdns.so
> #usr/lib/conntrack-tools/ct_helper_rpc.la
> -usr/lib/conntrack-tools/ct_helper_rpc.so
> +#usr/lib/conntrack-tools/ct_helper_rpc.so
> #usr/lib/conntrack-tools/ct_helper_sane.la
> -usr/lib/conntrack-tools/ct_helper_sane.so
> +#usr/lib/conntrack-tools/ct_helper_sane.so
> #usr/lib/conntrack-tools/ct_helper_slp.la
> -usr/lib/conntrack-tools/ct_helper_slp.so
> +#usr/lib/conntrack-tools/ct_helper_slp.so
> #usr/lib/conntrack-tools/ct_helper_ssdp.la
> -usr/lib/conntrack-tools/ct_helper_ssdp.so
> +#usr/lib/conntrack-tools/ct_helper_ssdp.so
> #usr/lib/conntrack-tools/ct_helper_tftp.la
> -usr/lib/conntrack-tools/ct_helper_tftp.so
> +#usr/lib/conntrack-tools/ct_helper_tftp.so
> #usr/lib/conntrack-tools/ct_helper_tns.la
> -usr/lib/conntrack-tools/ct_helper_tns.so
> +#usr/lib/conntrack-tools/ct_helper_tns.so

I believe that these have a different job than those in the kernel. However, I have merged the whole patch and we will see what is happening.

There is a lot of outdated stuff in there as well (sane, Amanda, …) and I do not believe anyone will miss this.

Best,
-Michael

> usr/sbin/conntrack
> usr/sbin/conntrackd
> usr/sbin/nfct
> diff --git a/config/rootfiles/core/158/update.sh b/config/rootfiles/core/158/update.sh
> index 68fe116a9..2568ea836 100644
> --- a/config/rootfiles/core/158/update.sh
> +++ b/config/rootfiles/core/158/update.sh
> @@ -36,6 +36,7 @@ rm -vrf \
> 	/etc/rc.d/init.d/upnpd \
> 	/etc/rc.d/init.d/networking/red.down/10-miniupnpd \
> 	/etc/rc.d/init.d/networking/red.up/10-miniupnpd \
> +	/usr/lib/conntrack-tools \
> 	/usr/lib/libixml.so.* \
> 	/usr/lib/libupnp.so.* \
> 	/var/ipfire/upnp
> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
> index 95af3155b..0bc579cd2 100644
> --- a/langs/de/cgi-bin/de.pl
> +++ b/langs/de/cgi-bin/de.pl
> @@ -437,7 +437,6 @@
> 'alt vpn' => 'VPNs',
> 'and' => 'Und',
> 'apcupsd' => 'APC-UPS Status',
> -'application layer gateways' => 'Application-Layer-Gateways',
> 'apply' => 'Jetzt anwenden',
> 'april' => 'April',
> 'archive not exist' => 'Konfigurationsarchiv existiert nicht',
> diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
> index d86705772..1c69b3798 100644
> --- a/langs/en/cgi-bin/en.pl
> +++ b/langs/en/cgi-bin/en.pl
> @@ -436,7 +436,6 @@
> 'and' => 'And',
> 'ansi t1.483' => 'TO BE REMOVED',
> 'apcupsd' => 'APC-UPS status',
> -'application layer gateways' => 'Application Layer Gateways',
> 'apply' => 'Apply now',
> 'april' => 'April',
> 'archive not exist' => 'Configuration archive does not exist',
> diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
> index 301109477..7cabaccde 100644
> --- a/langs/fr/cgi-bin/fr.pl
> +++ b/langs/fr/cgi-bin/fr.pl
> @@ -442,7 +442,6 @@
> 'alt vpn' => 'VPNs',
> 'and' => 'Et',
> 'apcupsd' => 'Statut UPS-APC',
> -'application layer gateways' => 'Passerelles de couche d\'application',
> 'apply' => 'Appliquer maintenant',
> 'april' => 'Avril',
> 'archive not exist' => 'L\'archive de configuration n\'existe pas',
> diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
> index 36c4782d6..e02320a58 100644
> --- a/langs/tr/cgi-bin/tr.pl
> +++ b/langs/tr/cgi-bin/tr.pl
> @@ -424,7 +424,6 @@
> 'and' => 've',
> 'ansi t1.483' => 'KALDIRILACAK',
> 'apcupsd' => 'APC-UPS durumu',
> -'application layer gateways' => 'Uygulama Katmanı Ağ Geçitleri',
> 'apply' => 'Şimdi uygula',
> 'april' => 'Nisan',
> 'archive not exist' => 'Yapılandırma arşivi yok',
> diff --git a/lfs/configroot b/lfs/configroot
> index 02b2883ba..c528bd6d9 100644
> --- a/lfs/configroot
> +++ b/lfs/configroot
> @@ -138,11 +138,6 @@ $(TARGET) :
> 	cp $(DIR_SRC)/config/suricata/convert-snort	/usr/sbin/convert-snort
> 	cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file   /usr/sbin/convert-ids-modifysids-file
> 
> -	# Add conntrack helper default settings
> -	for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \
> -		echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \
> -	done
> -
> 	# set converters executable
> 	chmod 755 /usr/sbin/convert-*
> 
> -- 
> 2.26.2