Development January 2021

development@lists.ipfire.org

18 participants
78 discussions

[PATCH] iptables: Update to 1.8.6
by Adolf Belka 06 Jan '21

06 Jan '21

- Update from 1.8.5 to 1.8.6 - Changelog info Arturo Borrero Gonzalez (1): xtables-translate: don't fail if help was requested Giuseppe Scrivano (1): iptables: accept lock file name at runtime Jan Engelhardt (2): doc: document danger of applying REJECT to INVALID CTs build: resolve iptables-apply not getting installed Maciej Żenczykowski (1): libxtables: compiler warning fixes for NO_SHARED_LIBS Pablo Neira Ayuso (4): extensions: libxt_conntrack: provide translation for DNAT and SNAT --ctstate iptables: replace libnftnl table list by linux list iptables-nft: fix basechain policy configuration configure: bump version for 1.8.6 release Phil Sutter (31): xtables-restore: Fix verbose mode table flushing build: Fix for failing 'make uninstall' xtables-translate: Use proper clear_cs function tests: shell: Add help output to run-tests.sh nft: Make table creation purely implicit nft: Be lazy when flushing nft: cache: Drop duplicate chain check nft: Drop pointless nft_xt_builtin_init() call nft: Turn nft_chain_save() into a foreach-callback nft: Use nft_chain_find() in two more places nft: Reorder enum nft_table_type nft: Eliminate table list from cache nft: Fix command name in ip6tables error message tests: shell: Merge and extend return codes test xtables-monitor: Fix ip6tables rule printing nft: Fix for ruleset flush while restoring Makefile: Add missing man pages to CLEANFILES nft: cache: Check consistency with NFT_CL_FAKE, too nft: Extend use of nftnl_chain_list_foreach() nft: Fold nftnl_rule_list_chain_save() into caller nft: Use nft_chain_find() in nft_chain_builtin_init() nft: Fix for broken address mask match detection extensions: libipt_icmp: Fix translation of type 'any' libxtables: Make sure extensions register in revision order libxtables: Simplify pending extension registration libxtables: Register multiple extensions in ascending order nft: Make batch_add_chain() return the added batch object nft: Fix error reporting for refreshed transactions libiptc: Avoid gcc-10 zero-length array warning nft: Fix for concurrent noflush restore calls tests: shell: Improve concurrent noflush restore test a bit - Rootfiles updated Signed-off-by: Adolf Belka <ahb.ipfire(a)gmail.com> --- config/rootfiles/common/iptables | 1 + lfs/iptables | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/common/iptables b/config/rootfiles/common/iptables index 2246ee17c..564578216 100644 --- a/config/rootfiles/common/iptables +++ b/config/rootfiles/common/iptables @@ -133,6 +133,7 @@ sbin/ip6tables-apply sbin/ip6tables-restore sbin/ip6tables-save sbin/iptables +sbin/iptables-apply #sbin/iptables-legacy #sbin/iptables-legacy-restore #sbin/iptables-legacy-save diff --git a/lfs/iptables b/lfs/iptables index afe452f10..852cde6cc 100644 --- a/lfs/iptables +++ b/lfs/iptables @@ -24,7 +24,7 @@ include Config -VER = 1.8.5 +VER = 1.8.6 THISAPP = iptables-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -41,7 +41,7 @@ objects = $(DL_FILE) \ $(DL_FILE) = $(DL_FROM)/$(DL_FILE) netfilter-layer7-v2.23.tar.gz = $(URL_IPFIRE)/netfilter-layer7-v2.23.tar.gz -$(DL_FILE)_MD5 = 42cfa96d4ac5eb93ee7ed8dd85cfe8fb +$(DL_FILE)_MD5 = bc0f0adccc93c09dc5b7507ccba93148 netfilter-layer7-v2.23.tar.gz_MD5 = 10910b6173d18e426cb56ae7e1300eeb install : $(TARGET) -- 2.30.0

1 0

[PATCH] unbound: keep probing when servers are down
by Jonatan Schlag 06 Jan '21

06 Jan '21

Till now when a server was in the "blocking regime" there was one probe made every 15 min, to see if this server is up again. In situations where all servers where down (e.g. because of a massive package loss) it could take up to 15 min to have a working dns again. This patch changes this behaviour in a way that a server marked down is probed every 2 min. Fixes: #12557 Signed-off-by: Jonatan Schlag <jonatan.schlag(a)ipfire.org> --- config/unbound/unbound.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf index 3aab6ea46..f78aaae8c 100644 --- a/config/unbound/unbound.conf +++ b/config/unbound/unbound.conf @@ -60,6 +60,9 @@ server: # Allow access from everywhere access-control: 0.0.0.0/0 allow + # Timeout behaviour + infra-keep-probing: yes + # Bootstrap root servers root-hints: "/etc/unbound/root.hints" -- 2.20.1

1 0

[PATCH] stunnel: Update to 5.57
by Adolf Belka 05 Jan '21

05 Jan '21

- Update of stunnel from 5.56 to 5.57 - Changelog Version 5.57, 2020.10.11, urgency: HIGH Security bugfixes The "redirect" option was fixed to properly handle "verifyChain = yes" (thx to Rob Hoes). OpenSSL DLLs updated to version 1.1.1h. New features New securityLevel configuration file option. FIPS support for RHEL-based distributions. Support for modern PostgreSQL clients (thx to Bram Geron). Windows tooltip texts updated to mention "stunnel". TLS 1.3 configuration updated for better compatibility. Bugfixes Fixed a transfer() loop bug. Fixed memory leaks on configuration reloading errors. DH/ECDH initialization restored for client sections. Delay startup with systemd until network is online. bin\libssp-0.dll removed when uninstalling. A number of testing framework fixes and improvements. - No change to rootfiles Signed-off-by: Adolf Belka <ahb.ipfire(a)gmail.com> --- lfs/stunnel | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/stunnel b/lfs/stunnel index 1ddb2a963..eab56e721 100644 --- a/lfs/stunnel +++ b/lfs/stunnel @@ -24,7 +24,7 @@ include Config -VER = 5.56 +VER = 5.57 THISAPP = stunnel-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = stunnel -PAK_VER = 5 +PAK_VER = 6 DEPS = @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 01b0ca9e071f582ff803a85d5ed72166 +$(DL_FILE)_MD5 = 6bbe921f8d2ab4967dc7ff42f6e5d45a install : $(TARGET) -- 2.30.0

1 0

[PATCH v2] general-functions.pl: Update to fix bug #12428
by Adolf Belka 05 Jan '21

05 Jan '21

- Patch of general-functions.pl for implementation of fix provided by Bernhard Bitsch in bug #12428. Had to be modified as that fix gave a failure for single character hostnames. Updated version prevents spaces being put into hostnames and works for single character hostnames - Updated subroutine validfqdn to apply consistent rules for hostname & domain name portions of fqdn - Minor updates for consistency across validhostname, validdomainname & validfqdn - Patch implemented into testbed system and confirmed working for hostnames, domain names and FQDN's. Signed-off-by: Adolf Belka <ahb.ipfire(a)gmail.com> --- config/cfgroot/general-functions.pl | 51 ++++++++++++++++------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 9be1e7708..a6656ccf5 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -635,12 +635,12 @@ sub validhostname # Checks a hostname against RFC1035 my $hostname = $_[0]; - # Each part should be at least two characters in length + # Hostname should be at least one character in length # but no more than 63 characters if (length ($hostname) < 1 || length ($hostname) > 63) { return 0;} # Only valid characters are a-z, A-Z, 0-9 and - - if ($hostname !~ /^[a-zA-Z0-9-\s]*$/) { + if ($hostname !~ /^[a-zA-Z0-9-]*$/) { return 0;} # First character can only be a letter or a digit if (substr ($hostname, 0, 1) !~ /^[a-zA-Z0-9]*$/) { @@ -655,46 +655,53 @@ sub validdomainname { my $part; - # Checks a domain name against RFC1035 + # Checks a domain name against RFC1035 and RFC2181 my $domainname = $_[0]; - my @parts = split (/\./, $domainname); # Split hostname at the '.' + my @parts = split (/\./, $domainname); # Split domain name at the '.' foreach $part (@parts) { - # Each part should be no more than 63 characters in length + # Each part should be at least one character in length + # but no more than 63 characters if (length ($part) < 1 || length ($part) > 63) { return 0;} # Only valid characters are a-z, A-Z, 0-9, _ and - if ($part !~ /^[a-zA-Z0-9_-]*$/) { - return 0; - } + return 0;} } return 1; } sub validfqdn { - my $part; - - # Checks a fully qualified domain name against RFC1035 + # Checks a fully qualified domain name against RFC1035 and RFC2181 my $fqdn = $_[0]; - my @parts = split (/\./, $fqdn); # Split hostname at the '.' + my @parts = split (/\./, $fqdn); # Split FQDN at the '.' if (scalar(@parts) < 2) { # At least two parts should return 0;} # exist in a FQDN # (i.e.hostname.domain) - foreach $part (@parts) { + + for (my $index=0; $index < scalar(@parts); $index++) { # Each part should be at least one character in length # but no more than 63 characters - if (length ($part) < 1 || length ($part) > 63) { - return 0;} - # Only valid characters are a-z, A-Z, 0-9 and - - if ($part !~ /^[a-zA-Z0-9-]*$/) { - return 0;} - # First character can only be a letter or a digit - if (substr ($part, 0, 1) !~ /^[a-zA-Z0-9]*$/) { - return 0;} - # Last character can only be a letter or a digit - if (substr ($part, -1, 1) !~ /^[a-zA-Z0-9]*$/) { + if (length ($parts[$index]) < 1 || length ($parts[$index]) > 63) { return 0;} + if ($index eq 0) { + # This is the hostname part + # Only valid characters are a-z, A-Z, 0-9 and - + if ($parts[$index] !~ /^[a-zA-Z0-9-]*$/) { + return 0;} + # First character can only be a letter or a digit + if (substr ($parts[$index], 0, 1) !~ /^[a-zA-Z0-9]*$/) { + return 0;} + # Last character can only be a letter or a digit + if (substr ($parts[$index], -1, 1) !~ /^[a-zA-Z0-9]*$/) { + return 0;} + } else{ + # This is the domain part + # Only valid characters are a-z, A-Z, 0-9, _ and - + if ($parts[$index] !~ /^[a-zA-Z0-9_-]*$/) { + return 0;} + } } return 1; } -- 2.30.0

2 2

[PATCH] ddns.cgi: Make dealing with auth tokens more user-friendly.
by Stefan Schantl 04 Jan '21

04 Jan '21

If a provider supports authentication with a token, now the username and password fileds will be swapped by some Java Script code in favour of an input field for the token. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- html/cgi-bin/ddns.cgi | 103 +++++++++++++++++++++++++++++++++++++----- 1 file changed, 91 insertions(+), 12 deletions(-) diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index 024eaf7f6..6eddb5124 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -59,14 +59,18 @@ $settings{'HOSTNAME'} = ''; $settings{'DOMAIN'} = ''; $settings{'LOGIN'} = ''; $settings{'PASSWORD'} = ''; +$settings{'TOKEN'} = ''; $settings{'ENABLED'} = ''; $settings{'PROXY'} = ''; $settings{'SERVICE'} = ''; $settings{'ACTION'} = ''; -# Get supported ddns providers. -my @providers = &GetProviders(); +# Get all supported ddns providers. +my @providers = &GetProviders("all"); + +# Get provider which support a token based authentication mechanism. +my @token_provider = &GetProviders("token-providers"); # Hook to regenerate the configuration files, if cgi got called from command line. if ($ENV{"REMOTE_ADDR"} eq "") { @@ -189,6 +193,12 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang:: $settings{'ENABLED'} = 'off'; } + # Check if a token has been provided. + if($settings{'TOKEN'}) { + # Assign the token as a password for saving. + $settings{'PASSWORD'} = $settings{'TOKEN'}; + } + # Handle adding new accounts. if ($settings{'ACTION'} eq $Lang::tr{'add'}) { # Open /var/ipfire/ddns/config for writing. @@ -234,7 +244,8 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang:: # Write out notice to logfile. &General::log($Lang::tr{'ddns hostname modified'}); } - undef $settings{'ID'}; + # Clear settings hash. + %settings = ''; # Update ddns config file. &GenerateDDNSConfigFile(); @@ -307,6 +318,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'edit'}) { $settings{'WILDCARDS'} = $temp[4]; $settings{'LOGIN'} = $temp[5]; $settings{'PASSWORD'} = $temp[6]; + $settings{'TOKEN'} = $temp[6]; $settings{'ENABLED'} = $temp[7]; } @@ -334,6 +346,58 @@ if (!$settings{'ACTION'}) { } &Header::openpage($Lang::tr{'dynamic dns'}, 1, ''); + +### Java Script ### +print"<script>\n"; + +# Generate Java Script Array which contains the provider that support token. +my $line = ""; +$line = join("', '", @token_provider); + +print "\t// Array which contains the providers that support token.\n"; +print "\ttoken_provider = ['$line']\;\n\n"; + +print <<END + // Java Script function to swap the text input fields for + // username and password or token. + var update_auth = function() { + if(inArray(\$('#SERVICE').val(), token_provider)) { + \$('.username').hide(); + \$('.password').hide(); + \$('.token').show(); + } else { + \$('.username').show(); + \$('.password').show(); + \$('.token').hide(); + } + }; + + // Java Script function to check if a given value is part of + // an array. + function inArray(value,array) { + var count=array.length; + + for(var i=0;i<count;i++) { + if(array[i]===value){ + return true; + } + } + + return false; + } + + // JQuery function to call corresponding function when + // the service provider is changed or the page is loaded for showing/hiding + // the username/password or token area. + \$(document).ready(function() { + \$('#SERVICE').change(update_auth); + update_auth(); + }); + +</script> +END +; + &Header::openbigbox('100%', 'left', '', $errormessage); # Read file for general ddns settings. @@ -414,7 +478,7 @@ print <<END END ; # Generate dropdown menu for service selection. - print"<select size='1' name='SERVICE'>\n"; + print"<select size='1' name='SERVICE' id='SERVICE'>\n"; my $selected; @@ -440,11 +504,15 @@ print <<END <tr> <td class='base'>$Lang::tr{'enabled'}</td> <td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td> - <td class='base'>$Lang::tr{'username'}</td> - <td><input type='text' name='LOGIN' value='$settings{'LOGIN'}' /></td> + + <td class='username'>$Lang::tr{'username'}</td> + <td class='username'><input type='text' name='LOGIN' value='$settings{'LOGIN'}' /></td> + + <td class='token' style='display:none'>Token:</td> + <td class='token' style='display:none'><input type='text' name='TOKEN' value='$settings{'TOKEN'}' /></td> </tr> - <tr> + <tr class='password'> <td class='base'></td> <td></td> <td class='base'>$Lang::tr{'password'}</td> @@ -665,8 +733,8 @@ sub GenerateDDNSConfigFile { my $use_token = 0; - # Check if token based auth is configured. - if ($username eq "token") { + # Handle token based auth for various providers. + if ($provider ~~ @token_provider) { $use_token = 1; } @@ -707,9 +775,20 @@ sub GenerateDDNSConfigFile { } # Function which generates an array (@providers) which contains the supported providers. -sub GetProviders { - # Get supported providers. - open(PROVIDERS, "/usr/bin/ddns list-providers |"); +sub GetProviders ($) { + my ($type) = @_; + + # Set default type to get all providers + $type = $type ? $type : "all"; + + # Check if the requested type is "token-providers". + if ($type eq "token-providers") { + # Call ddns util to only get providers which supports token based auth. + open(PROVIDERS, "/usr/bin/ddns list-token-providers |"); + } else { + # Get all supported providers. + open(PROVIDERS, "/usr/bin/ddns list-providers |"); + } # Create new array to store the providers. my @providers = (); -- 2.20.1

2 1

[PATCH 1/3] toolchain: Add zstd
by Michael Tremer 03 Jan '21

03 Jan '21

Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- lfs/zstd | 11 +++++++++-- make.sh | 1 + 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/lfs/zstd b/lfs/zstd index c6af0f129..a4f0e1699 100644 --- a/lfs/zstd +++ b/lfs/zstd @@ -30,7 +30,14 @@ THISAPP = zstd-$(VER) DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) -TARGET = $(DIR_INFO)/$(THISAPP) + +ifeq "$(TOOLCHAIN)" "1" + TARGET = $(DIR_INFO)/$(THISAPP)-tools + PREFIX = $(TOOLS_DIR) +else + TARGET = $(DIR_INFO)/$(THISAPP) + PREFIX = /usr +endif ############################################################################### # Top-level Rules @@ -74,6 +81,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && make $(MAKETUNING) - cd $(DIR_APP) && make prefix=/usr install + cd $(DIR_APP) && make prefix=$(PREFIX) install @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/make.sh b/make.sh index cf4e779e4..a6c088dd5 100755 --- a/make.sh +++ b/make.sh @@ -1037,6 +1037,7 @@ buildtoolchain() { lfsmake1 binutils PASS=2 lfsmake1 gcc PASS=2 lfsmake1 zlib + lfsmake1 zstd lfsmake1 ccache PASS=2 lfsmake1 tcl lfsmake1 expect -- 2.20.1

1 2

[PATCH] knot: Update to 3.0.3
by Matthias Fischer 02 Jan '21

02 Jan '21

For details see: https://www.knot-dns.cz/2020-12-15-version-303.html Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/knot | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/knot b/lfs/knot index 4bb8dcbf0..8a3288cdf 100644 --- a/lfs/knot +++ b/lfs/knot @@ -24,7 +24,7 @@ include Config -VER = 3.0.2 +VER = 3.0.3 THISAPP = knot-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = c4e18bd1e595cffb185a042522985dec +$(DL_FILE)_MD5 = 96db8b271ab8c54dd8d4f69a480a71c5 install : $(TARGET) -- 2.18.0

2 1

[PATCH] wget: Update to 1.21
by Matthias Fischer 02 Jan '21

02 Jan '21

Sorry, no changelog found, only: https://fossies.org/linux/wget/ChangeLog Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/wget | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/wget b/lfs/wget index 00ca75033..903f266cb 100644 --- a/lfs/wget +++ b/lfs/wget @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 1.20.3 +VER = 1.21 THISAPP = wget-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = db4e6dc7977cbddcd543b240079a4899 +$(DL_FILE)_MD5 = 3852118b7a771a7c9c0388883c8f5dbf install : $(TARGET) -- 2.18.0

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development January 2021