Hi, I think this patch is mostly fine. Just a couple of small questions. > On 12 May 2019, at 05:24, Erik Kapfer wrote: > > - New user and group sslh has been added. > - Added USELIBCAP to make transparent mode possible. > - red.up script has been added. If red IP changes, sslh will be restarted to run with the new IP. > - red.up script searches for sslh symlink in rc3.d, if nothing can be found, it will not start so it can be disabled via WUI (services.cgi). > - Symlinks for runlevels has been nevertheless added to sslh package to control it also via services.cgi. > - Configuration block has been added to sslh initscript. > - External IP address check will also be used for configure options. > - Configure provides currently only OpenVPN > - OpenVPN port will be automatically investigated. > > Signed-off-by: Erik Kapfer > --- > config/rootfiles/packages/sslh | 1 + > config/sslh/25-sslh | 17 +++++++++++++++++ > lfs/initscripts | 3 --- > lfs/sslh | 16 +++++++++------- > src/initscripts/packages/sslh | 41 +++++++++++++++++++++++++++++++++-------- > src/paks/sslh/install.sh | 16 +++++++++++++++- > src/paks/sslh/uninstall.sh | 4 +++- > 7 files changed, 78 insertions(+), 20 deletions(-) > create mode 100644 config/sslh/25-sslh > > diff --git a/config/rootfiles/packages/sslh b/config/rootfiles/packages/sslh > index 2c67aad3a..15d5ff8f9 100644 > --- a/config/rootfiles/packages/sslh > +++ b/config/rootfiles/packages/sslh > @@ -1,2 +1,3 @@ > +etc/rc.d/init.d/networking/red.up/25-sslh > etc/rc.d/init.d/sslh > usr/sbin/sslh > diff --git a/config/sslh/25-sslh b/config/sslh/25-sslh > new file mode 100644 > index 000000000..0b65d4309 > --- /dev/null > +++ b/config/sslh/25-sslh > @@ -0,0 +1,17 @@ > +#!/bin/bash > + > +# Check if SSLH has been enabled in WUI > +if ls /etc/rc.d/rc3.d | grep -q '.*sslh' >/dev/null; then I do not think that this is very elegant. Calling ls is shell scripts has many disadvantages. Can we not just test for /etc/rc.d/rc3.d/S98sslh being present? We know the real path. > + # If SSLH is enabled and running but red0 gets a new IP, restart SSLH > + if pgrep 'sslh' > /dev/null; then > + /etc/init.d/sslh restart > + else > + # If sslh is not running yet, start it > + /etc/init.d/sslh start > + fi This is fine. > +else > + # If SSLH has been disabled on boot via services WUI, stop service > + /etc/init.d/sslh stop It should not be running in the first place here. > +fi > + > +# EOF > diff --git a/lfs/initscripts b/lfs/initscripts > index 055e106d0..3173a04e4 100644 > --- a/lfs/initscripts > +++ b/lfs/initscripts > @@ -136,9 +136,6 @@ $(TARGET) : > ln -sf ../init.d/client175 /etc/rc.d/rc0.d/K34client175 > ln -sf ../init.d/client175 /etc/rc.d/rc3.d/S66client175 > ln -sf ../init.d/client175 /etc/rc.d/rc6.d/K34client175 > - ln -sf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > - ln -sf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > - ln -sf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > ln -sf ../init.d/vdradmin /etc/rc.d/rc3.d/S99vdradmin > ln -sf ../init.d/vdradmin /etc/rc.d/rc0.d/K01vdradmin > ln -sf ../init.d/vdradmin /etc/rc.d/rc6.d/K01vdradmin > diff --git a/lfs/sslh b/lfs/sslh > index 100cec065..ab453c75d 100644 > --- a/lfs/sslh > +++ b/lfs/sslh > @@ -1,7 +1,7 @@ > ############################################################################### > # # > # IPFire.org - A linux based firewall # > -# Copyright (C) 2007-2018 IPFire Team # > +# Copyright (C) 2007-2019 IPFire Team # > # # > # This program is free software: you can redistribute it and/or modify # > # it under the terms of the GNU General Public License as published by # > @@ -24,7 +24,7 @@ > > include Config > > -VER = 1.7a > +VER = 1.20 > > THISAPP = sslh-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > PROG = sslh > -PAK_VER = 5 > +PAK_VER = 6 > > DEPS = "" > > @@ -44,7 +44,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = ee124654412198a5e11fe28acf10634d > +$(DL_FILE)_MD5 = 0db26ed2825b1ef6c83959a988279912 > > install : $(TARGET) > > @@ -77,11 +77,13 @@ $(subst %,%_MD5,$(objects)) : > $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @$(PREBUILD) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBWRAP= > - cd $(DIR_APP) && install -v -m 755 sslh /usr/sbin > + cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" $(MAKETUNING) USELIBCAP=1 USELIBWRAP= > + cd $(DIR_APP) && install -v -m 755 sslh-fork /usr/sbin/sslh > > - #install initscripts > + # Install initscripts > $(call INSTALL_INITSCRIPT,sslh) > + # Install red.up > + install -v -m 754 -D $(DIR_CONF)/sslh/25-sslh /etc/rc.d/init.d/networking/red.up/25-sslh > > @rm -rf $(DIR_APP) > @$(POSTBUILD) > diff --git a/src/initscripts/packages/sslh b/src/initscripts/packages/sslh > index 43e58f392..f227ae9fb 100644 > --- a/src/initscripts/packages/sslh > +++ b/src/initscripts/packages/sslh > @@ -3,31 +3,56 @@ > > # Based on sysklogd script from LFS-3.1 and earlier. > # Rewritten by Gerard Beekmans - gerard(a)linuxfromscratch.org > +# > +############################################################# > +# > > . /etc/sysconfig/rc > . $rc_functions > > +DAEMON="/usr/sbin/sslh" > +PID="/var/run/sslh.pid" > + > +# Check external IP address and ports > +EXTERNAL_IP_ADDRESS="$( + > +# Investigate OpenVPN port > +IPFIREOPENVPN=$(awk '/port/ { print $2 }' /var/ipfire/ovpn/server.conf) > + > +# Loopback interface > +LO="127.0.0.1" > + > +# Used TCP ports > +LISTENPORT="443" > +OPENVPNPORT=${IPFIREOPENVPN} > + > +# Configuration options > +DAEMON_OPTS=" > +--user sslh > +--listen ${EXTERNAL_IP_ADDRESS}:${LISTENPORT} > +--openvpn ${LO}:${OPENVPNPORT} > +--pidfile ${PID} > +-C /var/empty > +" > + > case "$1" in > start) > boot_mesg "Starting SSLH Deamon..." > - > - LOCAL_IP_ADDRESS="$( - if [ -z "${LOCAL_IP_ADDRESS}" ]; then > + if [ -z "${EXTERNAL_IP_ADDRESS}" ]; then > echo_failure > boot_mesg -n "FAILURE:\n\nCould not determine" ${FAILURE} > boot_mesg -n " your external IP address." > boot_mesg "" ${NORMAL} > exit 1 > fi > - > - loadproc /usr/sbin/sslh -u nobody \ > - -p "${LOCAL_IP_ADDRESS}:443" -s localhost:222 -l localhost:444 > + loadproc ${DAEMON} ${DAEMON_OPTS} > evaluate_retval > ;; > > stop) > boot_mesg "Stopping SSLH Deamon..." > - killproc /usr/sbin/sslh > + killproc ${DAEMON} > + rm -f ${PID} > evaluate_retval > ;; > > @@ -38,7 +63,7 @@ case "$1" in > ;; > > status) > - statusproc /usr/sbin/sslh > + statusproc ${DAEMON} > ;; > > *) > diff --git a/src/paks/sslh/install.sh b/src/paks/sslh/install.sh > index 626884bdd..410dc9d83 100644 > --- a/src/paks/sslh/install.sh > +++ b/src/paks/sslh/install.sh > @@ -23,5 +23,19 @@ > # > . /opt/pakfire/lib/functions.sh > extract_files > -ln -s /etc/init.d/sslh /etc/rc.d/init.d/networking/red.up/50-sslh > + > +# Add user and group for sslh if not already done > +if ! getent group sslh &>/dev/null; then > + groupadd -g 131 sslh > +fi > + > +if ! getent passwd sslh; then > + useradd -u 123 -g sslh -c "SSLH daemon user" -d /var/empty -s /bin/false sslh > +fi Why are the user and group ID different? Is there a reason why they cannot be the same? > + > +# Set symlink for runlevels > +ln -svf ../init.d/sslh /etc/rc.d/rc0.d/K02sslh > +ln -svf ../init.d/sslh /etc/rc.d/rc3.d/S98sslh > +ln -svf ../init.d/sslh /etc/rc.d/rc6.d/K02sslh > + > start_service --background ${NAME} > diff --git a/src/paks/sslh/uninstall.sh b/src/paks/sslh/uninstall.sh > index dca34ccbd..4dfa0b274 100644 > --- a/src/paks/sslh/uninstall.sh > +++ b/src/paks/sslh/uninstall.sh > @@ -24,4 +24,6 @@ > . /opt/pakfire/lib/functions.sh > stop_service ${NAME} > remove_files > -rm -f /etc/rc.d/init.d/networking/red.up/50-sslh > + > +# Delete symlinks in runlevels > +rm -f /etc/rc.d/rc?.d/???sslh; > -- > 2.12.2 -Michael