Development October 2019

development@lists.ipfire.org

12 participants
77 discussions

[PATCH] QoS: Do no classify as default when L7 filter isn't done
by Michael Tremer 22 Oct '19

22 Oct '19

We need to allow some more packets to pass through the mangle chains so that the layer 7 filter can determine what protocol it finds. If L7 filter decides that a connection is of type "unknown", we mark it as default, or it is marked with the correct class. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- config/qos/makeqosscripts.pl | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl index 1a5d01d52..cbbbf70f8 100644 --- a/config/qos/makeqosscripts.pl +++ b/config/qos/makeqosscripts.pl @@ -205,9 +205,6 @@ foreach $classentry (sort @classes) } print <<END - ### add l7-filter to PREROUTING chain to see all traffic - iptables -t mangle -A PREROUTING -m layer7 --l7proto unset - ### ADD QOS-OUT CHAIN TO THE MANGLE TABLE IN IPTABLES iptables -t mangle -N QOS-OUT iptables -t mangle -I POSTROUTING -o $qossettings{'RED_DEV'} -j QOS-OUT @@ -502,7 +499,7 @@ END print <<END ### REDUNDANT: SET ALL NONMARKED PACKETS TO DEFAULT CLASS - iptables -t mangle -A QOS-INC -m mark --mark 0 -j MARK --set-mark $qossettings{'DEFCLASS_INC'} + iptables -t mangle -A QOS-INC -m mark --mark 0 -m layer7 ! --l7proto unset -j MARK --set-mark $qossettings{'DEFCLASS_INC'} # Save mark in connection tracking iptables -t mangle -A QOS-INC -j CONNMARK --save-mark @@ -540,8 +537,6 @@ print <<END iptables -t mangle --delete-chain QOS-OUT >/dev/null 2>&1 iptables -t mangle --flush QOS-INC >/dev/null 2>&1 iptables -t mangle --delete-chain QOS-INC >/dev/null 2>&1 - # remove l7-filter - iptables -t mangle --delete PREROUTING -m layer7 --l7proto unset rmmod sch_htb >/dev/null 2>&1 -- 2.12.2

1 0

speedtest-cli => ImportError
by Matthias Fischer 22 Oct '19

22 Oct '19

Hi, being curious, I tested 'speedtest-cli' on Core 136. This gives me: ***SNIP*** root@ipfire: ~ # speedtest-cli Traceback (most recent call last): File "/usr/bin/speedtest-cli", line 5, in <module> from pkg_resources import load_entry_point ImportError: No module named pkg_resources *** As far as I can see, 'speedtest-cli' needs some modules from '/usr/lib/python3.6/...' which are not part of the current Core 136 and Core 137(!?) running 'python 2.7.15'. See: rootfiles from 'python3' and 'python3-setuptools'. Or is it my fault? Can anyone confirm? Best, Matthias

2 1

[PATCH v2 01/15] QoS: Do not manually load iptables modules
by Michael Tremer 21 Oct '19

21 Oct '19

This should not be necessary and causes the script to wait for two seconds. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller(a)ipfire.org> --- config/qos/makeqosscripts.pl | 4 ---- 1 file changed, 4 deletions(-) diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl index cddfa2772..053b32161 100644 --- a/config/qos/makeqosscripts.pl +++ b/config/qos/makeqosscripts.pl @@ -407,10 +407,6 @@ print <<END ### ### BRING UP $qossettings{'IMQ_DEV'} - if [ `lsmod | grep -q ipt_IMQ` ]; then - insmod ipt_IMQ - sleep 2 - fi modprobe imq numdevs=1 numqueues=\$(grep -c "^processor" /proc/cpuinfo || echo 1) ip link set $qossettings{'IMQ_DEV'} up -- 2.12.2

1 14

[PATCH 01/10] QoS: Do not manually load iptables modules
by Daniel Weismüller 21 Oct '19

21 Oct '19

From: Michael Tremer <michael.tremer(a)ipfire.org> This should not be necessary and causes the script to wait for two seconds. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller(a)ipfire.org> --- config/qos/makeqosscripts.pl | 4 ---- 1 file changed, 4 deletions(-) diff --git a/config/qos/makeqosscripts.pl b/config/qos/makeqosscripts.pl index cddfa2772..053b32161 100644 --- a/config/qos/makeqosscripts.pl +++ b/config/qos/makeqosscripts.pl @@ -407,10 +407,6 @@ print <<END ### ### BRING UP $qossettings{'IMQ_DEV'} - if [ `lsmod | grep -q ipt_IMQ` ]; then - insmod ipt_IMQ - sleep 2 - fi modprobe imq numdevs=1 numqueues=\$(grep -c "^processor" /proc/cpuinfo || echo 1) ip link set $qossettings{'IMQ_DEV'} up -- 2.12.2

1 9

[PATCH 1/2] suricata: Update to 5.0.0
by Matthias Fischer 18 Oct '19

18 Oct '19

For details see: https://suricata-ids.org/2019/10/15/release-notes-for-5-0-0/ Bundled with 'libhtp 0.5.31' Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/suricata | 3 +++ lfs/suricata | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 41b02525d..290a44164 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -3,6 +3,9 @@ etc/suricata/suricata.yaml #root/.cargo #root/.cargo/.package-cache usr/bin/suricata +#usr/include/htp/lzma +#usr/include/htp/lzma/7zTypes.h +#usr/include/htp/lzma/LzmaDec.h #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS #usr/share/doc/suricata/Basic_Setup.txt diff --git a/lfs/suricata b/lfs/suricata index f6e4a593c..c1a393e85 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@ include Config -VER = 4.1.5 +VER = 5.0.0 THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 0dfd68f6f4314c5c2eed7128112eff3b +$(DL_FILE)_MD5 = 5e3ce10e48aabf77855819c490dd84ee install : $(TARGET) -- 2.18.0

1 1

[PATCH] core137: Remove imq0 and unload imq module after QoS has been stopped
by Daniel Weismüller 18 Oct '19

18 Oct '19

Signed-off-by: Daniel Weismüller <daniel.weismueller(a)ipfire.org> --- config/rootfiles/core/137/update.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/rootfiles/core/137/update.sh b/config/rootfiles/core/137/update.sh index da87f9430..dcbd8112a 100644 --- a/config/rootfiles/core/137/update.sh +++ b/config/rootfiles/core/137/update.sh @@ -83,6 +83,12 @@ rm -rf /lib/modules # Stop services /usr/local/bin/qosctrl stop +# Delete imq0 if it is still present after QoS has been stopped +if [ -d "/sys/class/net/imq0" ]; then + ip link del dev imq0 + modprobe -r imq +fi + # Extract files extract_files -- 2.12.2

1 0

[PATCH] firewall: always allow outgoing DNS traffic to root servers
by peter.mueller＠ipfire.org 18 Oct '19

18 Oct '19

Allowing outgoing DNS traffic (destination port 53, both TCP and UDP) to the root servers is BCP for some reasons. First, RFC 5011 assumes resolvers are able to fetch new trust ancors from the root servers for a certain time period in order to do key rollovers. Second, Unbound shows some side effects if it cannot do trust anchor signaling (see RFC 8145) or fetch the current trust anchor, resulting in SERVFAILs for arbitrary requests a few minutes. There is little security implication of allowing DNS traffic to the root servers: An attacker might abuse this for exfiltrating data via DNS queries, but is unable to infiltrate data unless he gains control over at least one root server instance. If there is no firewall ruleset in place which prohibits any other DNS traffic than to chosen DNS servers, this patch will not have security implications at all. Fixes #12183 Cc: Michael Tremer <michael.tremer(a)ipfire.org> Suggested-by: Horace Michael <horace.michael(a)gmx.com> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/rootfiles/core/137/filelists/files | 1 + src/initscripts/system/firewall | 16 ++++++++++++++-- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/core/137/filelists/files b/config/rootfiles/core/137/filelists/files index ce4e51768..a02840d12 100644 --- a/config/rootfiles/core/137/filelists/files +++ b/config/rootfiles/core/137/filelists/files @@ -1,4 +1,5 @@ etc/system-release etc/issue +etc/rc.d/init.d/firewall srv/web/ipfire/cgi-bin/credits.cgi var/ipfire/langs diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ec396c708..ff63a2ede 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -6,10 +6,11 @@ eval $(/usr/local/bin/readhash /var/ipfire/ppp/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/optionsfw/settings) -IFACE=`/bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012'` +ROOTHINTS="/etc/unbound/root.hints" +IFACE=$( /bin/cat /var/ipfire/red/iface 2> /dev/null | /usr/bin/tr -d '\012' ) if [ -f /var/ipfire/red/device ]; then - DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` + DEVICE=$( /bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012' ) fi function iptables() { @@ -307,6 +308,17 @@ iptables_init() { iptables -A INPUT -j TOR_INPUT iptables -N TOR_OUTPUT iptables -A OUTPUT -j TOR_OUTPUT + + # Allow outgoing DNS traffic (TCP and UDP) to DNS root servers + ROOTSERVERIPS="$( awk '/\s+A\s+/ { print $4 }' ${ROOTHINTS} | xargs )" + ipset -N root-servers iphash + + for ip in ${ROOTSERVERIPS}; do + ipset add root-servers $ip + done + + iptables -A OUTPUT -m set --match-set root-servers dst -p tcp --dport 53 -j ACCEPT + iptables -A OUTPUT -m set --match-set root-servers dst -p udp --dport 53 -j ACCEPT # Jump into the actual firewall ruleset. iptables -N INPUTFW -- 2.16.4

4 9

[PATCH] grub: Build after Python is available
by Michael Tremer 17 Oct '19

17 Oct '19

The build sometimes aborted because python was not found when Grub was being built for EFI. Fixes: #12209 Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- make.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/make.sh b/make.sh index ea9cbc10c..170b16504 100755 --- a/make.sh +++ b/make.sh @@ -1132,9 +1132,6 @@ buildipfire() { lfsmake2 lvm2 lfsmake2 multipath-tools lfsmake2 freetype - lfsmake2 grub - lfsmake2 efivar - lfsmake2 efibootmgr lfsmake2 libmnl lfsmake2 libnfnetlink lfsmake2 libnetfilter_queue @@ -1222,6 +1219,9 @@ buildipfire() { lfsmake2 libffi lfsmake2 python lfsmake2 python3 + lfsmake2 grub + lfsmake2 efivar + lfsmake2 efibootmgr lfsmake2 ca-certificates lfsmake2 fireinfo lfsmake2 libnet -- 2.20.1

1 0

dhcpcd 8.1.1 is out
by Matthias Fischer 17 Oct '19

17 Oct '19

Hi, 'dhcpcd 8.1.1' is out. => https://roy.marples.name/archives/dhcpcd-discuss/0002641.html "dhcpcd-8.1.1 has been released with the following changes: * IPv6: Fix a potential crash when udevs marks an interface ready. * Linux: compat shim added for setproctitle(3). * arc4random: fixed UB in compat shim. * DHCP: Fix fallout from dhcpcd-8.1.0 for checksum calculation. The last fix involved a lot a people, quite a few different fixes and played havoc with gcc-9.2 but should now be resolved." I'm working on it. Best, Matthias

2 2

[PATCH] bind: Update to 9.11.12
by Matthias Fischer 17 Oct '19

17 Oct '19

For details see: https://downloads.isc.org/isc/bind9/9.11.12/RELEASE-NOTES-bind-9.11.12.html Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/bind | 8 ++++---- lfs/bind | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index 6f90b879b..ff44473aa 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -272,11 +272,11 @@ usr/lib/libbind9.so.161.0.3 #usr/lib/libdns.la #usr/lib/libdns.so usr/lib/libdns.so.1107 -usr/lib/libdns.so.1107.0.1 +usr/lib/libdns.so.1107.0.2 #usr/lib/libisc.la #usr/lib/libisc.so usr/lib/libisc.so.1100 -usr/lib/libisc.so.1100.3.1 +usr/lib/libisc.so.1100.3.2 #usr/lib/libisccc.la #usr/lib/libisccc.so usr/lib/libisccc.so.161 @@ -284,11 +284,11 @@ usr/lib/libisccc.so.161.0.1 #usr/lib/libisccfg.la #usr/lib/libisccfg.so usr/lib/libisccfg.so.163 -usr/lib/libisccfg.so.163.0.2 +usr/lib/libisccfg.so.163.0.3 #usr/lib/liblwres.la #usr/lib/liblwres.so usr/lib/liblwres.so.161 -usr/lib/liblwres.so.161.0.1 +usr/lib/liblwres.so.161.0.2 #usr/share/man/man1/dig.1 #usr/share/man/man1/host.1 #usr/share/man/man1/nslookup.1 diff --git a/lfs/bind b/lfs/bind index b90d2da4e..edc3014f6 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ include Config -VER = 9.11.11 +VER = 9.11.12 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 5b4a301aa97387db81352f7466bac161 +$(DL_FILE)_MD5 = e6a55dcacc852bad9c5970c405383ea0 install : $(TARGET) -- 2.18.0

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development October 2019