Hello, while testing some firewall stuff, I stumbled across bug #11777 (https://bugzilla.ipfire.org/show_bug.cgi?id=11777): In some cases, GeoIP country data in firewall rules and WebUI seem to differ. :-( Since this makes debugging extremely hard and unreliable, could someone have a look at this please? Sorry for the noise, but this is a nasty one... Thanks and best regards, Peter Müller > Hello, > > just installed IPFire 2.21 - Core Update 122 on a testing machine. > > Issues noticed during update: > (a) Update to 122 was not installed automatically, but needs user > interaction. > (b) Machine rebooted properly and came up again without manual action > required. > (c) WebUI shortly displays "local recursor" for DNS status at > the main page - DNSSEC status of nameservers, however, is green. > These were displayed correctly again after ~ 2 minutes. > (d) NRPE addon required reinstallation (probably due to some > configuration changes). The service did not appear in the list at > the WebUI; this needs some bugfixing. > (e) charon displays connection errors "could not write to socket: > operation not permitted" which disappeared after ~ 2 minutes and > everything was properly established. > > Summary: > Reboot, basic functions WORKS > Squid web proxy + URL filter WORKS > IDS WORKS > OpenVPN (N2N only) WORKS > IPsec (N2N only) WORKS > SSH WORKS > QoS WORKS > NRPE WORKS (after reinstallation, some bugs left) > > CPU load (especially when it comes to HW interrupts) is a bit > (but not significant) lower than it was while running C120. > RAM consumption stays at the same level. Entropy is ~ 400 bits > higher. Kernel reports two interesting log lines on boot: > > 19:02:35 kernel: alg: No test for seqiv(rfc4106(gcm(aes))) (seqiv(rfc4106-gcm-aesni)) > > 18:57:49 kernel: xt_geoip: loading out-of-tree module taints kernel. > > Just for the records. :-) > > Systems seems to be safe against Spectre/Meltdown: > > /sys/devices/system/cpu/vulnerabilities/meltdown: > Mitigation: PTI > /sys/devices/system/cpu/vulnerabilities/spec_store_bypass: > Not affected > /sys/devices/system/cpu/vulnerabilities/spectre_v1: > Mitigation: __user pointer sanitization > /sys/devices/system/cpu/vulnerabilities/spectre_v2: > Mitigation: Full generic retpoline > > In case any issues occur within the next time, I'll let you know. > Excellent work so far! > > Thanks, and best regards, > Peter Müller > -- "We don't care. We don't have to. We're the Phone Company."