Development May 2019

development@lists.ipfire.org

15 participants
54 discussions

[PATCH] BUG11695: Adding/editing rules with preset broken
by Alexander Marx 15 Jul '21

15 Jul '21

added another check to fill same ports in source and destination when a custom service is selected. Signed-off-by: Alexander Marx <alexander.marx(a)ipfire.org> Reported-by: erik(a)vanlinsteeict.nl --- html/cgi-bin/firewall.cgi | 1 + 1 file changed, 1 insertion(+) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 499f279..d17afab 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -757,6 +757,7 @@ sub checkrule } } if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} eq ''){$fwdfwsettings{'dnatport'}=$custsrvport;} + if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'grp3'} eq 'cust_srv'){$fwdfwsettings{'dnatport'}=$custsrvport;} } #check if DNAT port is multiple if($fwdfwsettings{'nat'} eq 'dnat' && $fwdfwsettings{'dnatport'} ne ''){ -- 2.7.4

3 2

[PATCH] firewall-lib.pl: Populate GeoIP rules only if location is available.
by Stefan Schantl 04 Jul '19

04 Jul '19

In case a GeoIP related firewall rule should be created, the script now will check if the given location is still available. Fixes #12054. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- config/firewall/firewall-lib.pl | 40 ++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index 118744fd6..59ae096b0 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -70,6 +70,9 @@ my $netsettings = "${General::swroot}/ethernet/settings"; &General::readhasharray("$configsrvgrp", \%customservicegrp); &General::get_aliases(\%aliases); +# Get all available GeoIP locations. +my @available_geoip_locations = &get_geoip_locations(); + sub get_srv_prot { my $val=shift; @@ -456,17 +459,23 @@ sub get_address # Handle rule options with GeoIP as source. } elsif ($key eq "cust_geoip_src") { - # Get external interface. - my $external_interface = &get_external_interface(); + # Check if the given GeoIP location is available. + if(&geoip_location_is_available($value)) { + # Get external interface. + my $external_interface = &get_external_interface(); - push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + } # Handle rule options with GeoIP as target. } elsif ($key eq "cust_geoip_tgt") { - # Get external interface. - my $external_interface = &get_external_interface(); + # Check if the given GeoIP location is available. + if(&geoip_location_is_available($value)) { + # Get external interface. + my $external_interface = &get_external_interface(); - push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + } # If nothing was selected, we assume "any". } else { @@ -610,4 +619,23 @@ sub get_geoip_locations() { return &GeoIP::get_geoip_locations(); } +# Function to check if a database of a given GeoIP location is +# available. +sub geoip_location_is_available($) { + my ($location) = @_; + + # Loop through the global array of available GeoIP locations. + foreach my $geoip_location (@available_geoip_locations) { + # Check if the current processed location is the searched one. + if($location eq $geoip_location) { + # If it is part of the array, return "1" - True. + return 1; + } + } + + # If we got here, the given location is not part of the array of available + # zones. Return nothing. + return; +} + return 1; -- 2.20.1

3 3

[PATCH] monit: Update to 5.25.3
by Matthias Fischer 31 May '19

31 May '19

For details see: https://mmonit.com/monit/changes/ Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/monit | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lfs/monit b/lfs/monit index 66c415f9f..9cdcd2f5f 100644 --- a/lfs/monit +++ b/lfs/monit @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 5.23.0 +VER = 5.25.3 THISAPP = monit-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = monit -PAK_VER = 10 +PAK_VER = 11 DEPS = "" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 5fbaf7746a233f31ad0aed416ca1d0f9 +$(DL_FILE)_MD5 = 8d91f6e756cca42450ab0815b3086d5b install : $(TARGET) -- 2.18.0

1 0

[PATCH] tshark: Update to 3.0.2
by Erik Kapfer 28 May '19

28 May '19

Incl. one vulnerability and several bug fixes. For full overview --> https://www.wireshark.org/docs/relnotes/wireshark-3.0.2.html . - Disabled geoip support since libmaxminddb is not presant. - Added dictionary in ROOTFILE to prevent "radius: Could not open file: '/usr/share/wireshark/radius/dictionary' " . - Added CMAKE build type - Removed profile examples and htmls completly from ROOTFILE. Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> --- config/rootfiles/packages/tshark | 20 ++++++++++---------- lfs/tshark | 10 ++++++---- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/config/rootfiles/packages/tshark b/config/rootfiles/packages/tshark index fde4030a4..816ab920b 100644 --- a/config/rootfiles/packages/tshark +++ b/config/rootfiles/packages/tshark @@ -608,10 +608,10 @@ usr/bin/tshark #usr/include/wireshark/wsutil/xtea.h #usr/lib/libwireshark.so usr/lib/libwireshark.so.12 -usr/lib/libwireshark.so.12.0.1 +usr/lib/libwireshark.so.12.0.2 #usr/lib/libwiretap.so usr/lib/libwiretap.so.9 -usr/lib/libwiretap.so.9.0.1 +usr/lib/libwiretap.so.9.0.2 #usr/lib/libwscodecs.so usr/lib/libwscodecs.so.2 usr/lib/libwscodecs.so.2.0.0 @@ -628,7 +628,7 @@ usr/lib/libwsutil.so.10.0.0 #usr/lib/wireshark/cmake/UseMakePluginReg.cmake #usr/lib/wireshark/cmake/WiresharkConfig.cmake #usr/lib/wireshark/cmake/WiresharkConfigVersion.cmake -#usr/lib/wireshark/cmake/WiresharkTargets-relwithdebinfo.cmake +#usr/lib/wireshark/cmake/WiresharkTargets-release.cmake #usr/lib/wireshark/cmake/WiresharkTargets.cmake #usr/lib/wireshark/extcap usr/lib/wireshark/extcap/androiddump @@ -652,7 +652,7 @@ usr/lib/wireshark/plugins/3.0/epan/unistim.so usr/lib/wireshark/plugins/3.0/epan/wimax.so usr/lib/wireshark/plugins/3.0/epan/wimaxasncp.so usr/lib/wireshark/plugins/3.0/epan/wimaxmacphy.so -usr/lib/wireshark/plugins/3.0/wiretap +#usr/lib/wireshark/plugins/3.0/wiretap usr/lib/wireshark/plugins/3.0/wiretap/usbdump.so #usr/share/doc/wireshark #usr/share/doc/wireshark/androiddump.html @@ -765,10 +765,10 @@ usr/share/wireshark/dtds/xcap-error.dtd #usr/share/wireshark/pdml2html.xsl #usr/share/wireshark/profiles #usr/share/wireshark/profiles/Bluetooth -usr/share/wireshark/profiles/Bluetooth/colorfilters -usr/share/wireshark/profiles/Bluetooth/preferences +#usr/share/wireshark/profiles/Bluetooth/colorfilters +#usr/share/wireshark/profiles/Bluetooth/preferences #usr/share/wireshark/profiles/Classic -usr/share/wireshark/profiles/Classic/colorfilters +#usr/share/wireshark/profiles/Classic/colorfilters #usr/share/wireshark/profiles/No #Reassembly #usr/share/wireshark/profiles/No @@ -776,7 +776,7 @@ usr/share/wireshark/profiles/Classic/colorfilters #usr/share/wireshark/radius #usr/share/wireshark/radius/README.radius_dictionary usr/share/wireshark/radius/custom.includes -#usr/share/wireshark/radius/dictionary +usr/share/wireshark/radius/dictionary usr/share/wireshark/radius/dictionary.3com usr/share/wireshark/radius/dictionary.3gpp usr/share/wireshark/radius/dictionary.3gpp2 @@ -994,7 +994,7 @@ usr/share/wireshark/tpncp/tpncp.dat #usr/share/wireshark/wimaxasncp usr/share/wireshark/wimaxasncp/dictionary.dtd usr/share/wireshark/wimaxasncp/dictionary.xml -usr/share/wireshark/wireshark-filter.html -usr/share/wireshark/wireshark.html +#usr/share/wireshark/wireshark-filter.html +#usr/share/wireshark/wireshark.html usr/share/wireshark/wka usr/share/wireshark/ws.css diff --git a/lfs/tshark b/lfs/tshark index a978cf73c..58c276e25 100644 --- a/lfs/tshark +++ b/lfs/tshark @@ -24,7 +24,7 @@ include Config -VER = 3.0.1 +VER = 3.0.2 THISAPP = wireshark-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -33,7 +33,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tshark DEPS = "krb5" -PAK_VER = 1 +PAK_VER = 2 ############################################################################### # Top-level Rules @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 370a113e1c8ec240c4621cfb5abb0c52 +$(DL_FILE)_MD5 = e344675283d6329a4bc213b621d7f46a install : $(TARGET) @@ -80,7 +80,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && mkdir build cd $(DIR_APP)/build && cmake .. \ -DBUILD_wireshark=OFF \ - -DCMAKE_INSTALL_PREFIX=/usr + -DCMAKE_INSTALL_PREFIX=/usr \ + -DCMAKE_BUILD_TYPE=Release \ + -DBUILD_mmdbresolve=OFF cd $(DIR_APP)/build && make $(PARALELLISMFLAGS) cd $(DIR_APP)/build && make install -- 2.12.2

3 2

Testing report for Core Update 132
by Peter Müller 28 May '19

28 May '19

Hello all, after testing too little in the past months, I am hereby trying to catch up for announced Core Update 132. Most services are running as expected: - IPsec - OpenVPN (tested with RW connections only) - DDNS - Squid (non-transparent, including upstream proxy) - Suricata (IPS mode, activated on all interfaces) Tor suffers from missing libseccomp dependency and a permission bug (see #12088), but starts correctly after installing the library and fixing /var/lib/tor permissions manually. I can confirm IDS rulesets download works in combination with an upstream proxy now (tested with Emerging Threats). Suricata seems to drop some packets (as internal connections sometimes take ages to establish), but does not log anything. This requires some further investigation, and it is kind of an evident-missing blame at the moment. Talking about the <sarcasm>all-new-and-improved Intel CPU vulnerabilities</sarcasm>, disabling SMT automatically seems to work: > [root@maverick ~]# grep . /sys/devices/system/cpu/vulnerabilities/* > /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected > /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT disabled > /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI > /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected > /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization > /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling (CPU is an Intel Celeron N3150 4x 1.60 GHz .) However, the new WebUI CGI is partly missing German translations, and claims "Simultaneous Multi-Threading (SMT) is not supported". The latter is confusing, as the system states the opposite. Talking about aesthetics, the CGI is a bit messy, but that is not a functionality problem and might be fixed in an upcoming update. Thanks, and best regards, Peter Müller -- The road to Hades is easy to travel. -- Bion of Borysthenes

2 1

Disabling SMT by default on affected Intel processors
by Michael Tremer 27 May '19

27 May '19

Hello guys, It is quite late and I am pretty tired because Intel allowed me to spend another evening investigating what they did wrong. So here is just the short version of this: I had a call with Peter and Arne today and we discussed what we can do to actually fix the latest Intel vulnerabilities. There is only one option which is to disable SMT - or rather known as Intel Hyper-Threading by default. This will decrease performance by at least 40%. I think with our workload it might be worse. There is a new CGI which allows you to see how your hardware is affected and it allows you to force HT on if you really really want it and do not care about people breaking into your firewall. The code has just been pushed into next. Because I want to get this update out as soon as possible, please help me testing it and maybe if you have the time to do some benchmarks, that would be good to know how much performance we are actually losing. If you have questions, please don’t hesitate to ask. I am going to bed now :) -Michael

2 1

[PATCH 1/3] colm: New package
by Stefan Schantl 27 May '19

27 May '19

This is a build dependency of ragel, which is a build dependency of hyperscan. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- config/rootfiles/common/colm | 21 ++++++++++ lfs/colm | 79 ++++++++++++++++++++++++++++++++++++ make.sh | 1 + 3 files changed, 101 insertions(+) create mode 100644 config/rootfiles/common/colm create mode 100644 lfs/colm diff --git a/config/rootfiles/common/colm b/config/rootfiles/common/colm new file mode 100644 index 000000000..7f0d22396 --- /dev/null +++ b/config/rootfiles/common/colm @@ -0,0 +1,21 @@ +#usr/bin/colm +#usr/include/colm +#usr/include/colm/bytecode.h +#usr/include/colm/colm.h +#usr/include/colm/config.h +#usr/include/colm/debug.h +#usr/include/colm/defs.h +#usr/include/colm/input.h +#usr/include/colm/internal.h +#usr/include/colm/map.h +#usr/include/colm/pdarun.h +#usr/include/colm/pool.h +#usr/include/colm/program.h +#usr/include/colm/struct.h +#usr/include/colm/tree.h +#usr/include/colm/type.h +#usr/lib/libcolm-0.13.0.6.so +#usr/lib/libcolm.la +#usr/lib/libcolm.so +#usr/share/doc/colm +#usr/share/doc/colm/colm.vim diff --git a/lfs/colm b/lfs/colm new file mode 100644 index 000000000..5a722ba5e --- /dev/null +++ b/lfs/colm @@ -0,0 +1,79 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2018 IPFire Team <info(a)ipfire.org> # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see <http://www.gnu.org/licenses/>. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.13.0.6 + +THISAPP = colm-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 16aaf566cbcfe9a06154e094638ac709 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --disable-static + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 2a5584f1a..8c9fec6c3 100755 --- a/make.sh +++ b/make.sh @@ -1321,6 +1321,7 @@ buildipfire() { lfsmake2 jansson lfsmake2 yaml lfsmake2 libhtp + lfsmake2 colm lfsmake2 suricata lfsmake2 oinkmaster lfsmake2 ids-ruleset-sources -- 2.20.1

2 3

[PATCH] ruleset-sources: Update snort dl urls.
by Stefan Schantl 26 May '19

26 May '19

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- config/suricata/ruleset-sources | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources index cf6baa18e..8ec848202 100644 --- a/config/suricata/ruleset-sources +++ b/config/suricata/ruleset-sources @@ -1,8 +1,8 @@ # Ruleset for registered sourcefire users. -registered = https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=<oinkcode> +registered = https://www.snort.org/rules/snortrules-snapshot-29130.tar.gz?oinkcode=<oinkcode> # Ruleset for registered sourcefire users with valid subscription. -subscripted = https://www.snort.org/rules/snortrules-snapshot-29120.tar.gz?oinkcode=<oinkcode> +subscripted = https://www.snort.org/rules/snortrules-snapshot-29130.tar.gz?oinkcode=<oinkcode> # Community rules from sourcefire. community = https://www.snort.org/rules/community -- 2.20.1

1 0

[PATCH 1/2] jansson: Move to core system and update to 2.12
by Stefan Schantl 26 May '19

26 May '19

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- config/rootfiles/{packages => common}/jansson | 2 +- lfs/jansson | 8 ++------ make.sh | 2 +- 3 files changed, 4 insertions(+), 8 deletions(-) rename config/rootfiles/{packages => common}/jansson (85%) diff --git a/config/rootfiles/packages/jansson b/config/rootfiles/common/jansson similarity index 85% rename from config/rootfiles/packages/jansson rename to config/rootfiles/common/jansson index 3901a0690..005bd2ce5 100644 --- a/config/rootfiles/packages/jansson +++ b/config/rootfiles/common/jansson @@ -4,5 +4,5 @@ #usr/lib/libjansson.la #usr/lib/libjansson.so usr/lib/libjansson.so.4 -usr/lib/libjansson.so.4.10.0 +usr/lib/libjansson.so.4.11.1 #usr/lib/pkgconfig/jansson.pc diff --git a/lfs/jansson b/lfs/jansson index 14c6a3ee3..2c95c62ef 100644 --- a/lfs/jansson +++ b/lfs/jansson @@ -24,17 +24,13 @@ include Config -VER = 2.10 +VER = 2.12 THISAPP = jansson-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) -PROG = jansson -PAK_VER = 1 - -DEPS = "" ############################################################################### # Top-level Rules @@ -44,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 16a2c4e84c0a80ca61bd6e619a0f9358 +$(DL_FILE)_MD5 = 0ed1f3a924604aae68067c214b0010ef install : $(TARGET) diff --git a/make.sh b/make.sh index e70da788e..2a5584f1a 100755 --- a/make.sh +++ b/make.sh @@ -1318,6 +1318,7 @@ buildipfire() { lfsmake2 setserial lfsmake2 setup lfsmake2 libdnet + lfsmake2 jansson lfsmake2 yaml lfsmake2 libhtp lfsmake2 suricata @@ -1479,7 +1480,6 @@ buildipfire() { lfsmake2 watchdog lfsmake2 libpri lfsmake2 libsrtp - lfsmake2 jansson lfsmake2 asterisk lfsmake2 usb_modeswitch lfsmake2 usb_modeswitch_data -- 2.20.1

1 1

[PATCH] tor.cgi: Disable debugging output
by Erik Kapfer 26 May '19

26 May '19

Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> --- html/cgi-bin/tor.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 71da66666..d31eb1086 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -23,8 +23,8 @@ use strict; use Locale::Codes::Country; # enable only the following on debugging purpose -use warnings; -use CGI::Carp 'fatalsToBrowser'; +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/geoip-functions.pl"; -- 2.12.2

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development May 2019