Development June 2024

development@lists.ipfire.org

11 participants
41 discussions

[PATCH] Updates to u-boot script for Raspberry Pi 4b devices
by Craig Setera 22 Sep '24

22 Sep '24

Updates to u-boot script for Raspberry Pi 4b devices to properly configure the serial console and to choose the proper boot address to be used on newer board revisions. With these changes in place, I'm able to fully boot into a serial console in u-boot. The serial console configuration was derived from the Grub configuration, while the boot address changes were taken from the IPFire Raspberry 4b documentation page: https://www.ipfire.org/docs/hardware/arm/rpi/four Per the conversation in the forums, I don't know why the boot address changes are required. I was simply trying to automate those changes such that downloaded builds will work out of the box. https://community.ipfire.org/t/hang-with-kernel-starting-on-raspberry-pi/11… NOTE: The use of the different parameter options to the test command to minimize the need for deeply nested conditionals. I did try more bash-shell like syntax, but u-boot didn't seem to like that. The operators used here were found in the u-boot source. Tested-by: Craig Setera <craigjunk(a)setera.org> Signed-off-by: Craig Setera <craigjunk(a)setera.org> --- config/u-boot/boot.cmd | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/config/u-boot/boot.cmd b/config/u-boot/boot.cmd index a27996780..eedd5776d 100644 --- a/config/u-boot/boot.cmd +++ b/config/u-boot/boot.cmd @@ -51,7 +51,11 @@ if test "${SERIAL-CONSOLE}" = "ON"; then if test "${fdtfile}" = "broadcom/bcm2837-rpi-3-b.dtb"; then setenv console ttyS1,115200n8; else - setenv console ttyAMA0,115200n8; + if test "${fdtfile}" = "broadcom/bcm2711-rpi-4-b.dtb"; then + setenv console ttyS0,115200n8; + else + setenv console ttyAMA0,115200n8; + fi; fi; fi; else @@ -95,11 +99,28 @@ else setenv ramdisk_addr -; fi; +# +# Handle Raspberry Pi 4 address differences +# https://www.ipfire.org/docs/hardware/arm/rpi/four +# +setenv booti_fdt_addr ${fdt_addr_r}; +if test "${board}" -eq "rpi" -a ${cpu} -eq "armv8" -a "${fdtfile}" -eq "broadcom/bcm2711-rpi-4-b.dtb"; then + # Hardware revision 1.4 + if test ${board_revision} -eq 0xB03114 -o ${board_revision} -eq 0xC03114 -o ${board_revision} -eq 0xD03114; then + setenv booti_fdt_addr ${fdt_addr}; + fi + + # Hardware revision 1.5 + if test ${board_revision} -eq 0xB03115 -o ${board_revision} -eq 0xC03115 -o ${board_revision} -eq 0xD03115; then + setenv booti_fdt_addr ${fdt_addr}; + fi +fi; + bootz ${kernel_addr_r} ${ramdisk_addr} ${fdt_addr_r}; -booti ${kernel_addr_r} ${ramdisk_addr} ${fdt_addr_r}; +booti ${kernel_addr_r} ${ramdisk_addr} ${booti_fdt_addr}; bootz ${kernel_addr_r} - ${fdt_addr_r}; -booti ${kernel_addr_r} - ${fdt_addr_r}; +booti ${kernel_addr_r} - ${booti_fdt_addr}; # Recompile with: # mkimage -C none -A arm -T script -d /boot/boot.cmd /boot/boot.scr -- 2.40.1

2 6

Add IPFire to Discourse Discover?
by jon 17 Jul '24

17 Jul '24

Michael, et al., Could you, would you, add the IPFire Community to Discourse Discover? A little advertisement on Discourse might help with new members! Jon --- https://discover.discourse.org/ <https://discover.discourse.org/> Discover FAQs Discourse Discover is a directory of communities built using the open-source Discourse discussion platform. You can start your own community using our official hosting, or install it yourself! How do I get my community listed? To submit your Discourse community, it must be publicly accessible and have the admin setting "include in discourse discover" enabled. We will not approve any communities displaying content we find objectionable. This includes anything that is illegal, discriminatory, or inappropriate for a general audience in a public space. Appearing in Discourse Discover is at the discretion of the Discourse team. What data is my community sharing? The include in discourse discover site setting collects basic statistics from your community's /about page, as well as its: url title language logo My community is in the wrong category, how do I fix it? Discourse Discover is reviewed and categorized by the Discourse team. You can request changes by sending a message to team(a)discourse.org <mailto:team@discourse.org>. How do I contact you? If you have a question that's not answered here, feel free to send a message to team(a)discourse.org <mailto:team@discourse.org>.

2 3

[PATCH 1/2] header.pl: Add utf-8 handling into cleanhtml command
by Adolf Belka 17 Jul '24

17 Jul '24

- existing cleanhtml command does not handle diacritical charcters such as umlauts, acute, grave and circumflex accents. - In bug 12395 the problem was resolved by adding decode before and encode after the cleanhtml command in dns.cgi - Suggestion from @Michael Tremer was to add the decode and encode sections into the actual cleanhtml subroutine in header.pl - This patch submission is the execution of that suggestion. - This will ensure that whenever cleanhtml is used for any remark in a WUI page it will handle diacritical charcters. - Tested out on my vm testbed system and confirmed to be working when cleanhtml has the encode and decode lines. - Combined with this patch is another one that changes the dns.cgi to remove the decode and encode entries added into the cgi code. Suggested-by: Michael Tremer <michael.tremer(a)ipfire.org> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/cfgroot/header.pl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl index a67ff92ee..66b49e411 100644 --- a/config/cfgroot/header.pl +++ b/config/cfgroot/header.pl @@ -16,6 +16,7 @@ use File::Basename; use HTML::Entities(); use Socket; use Time::Local; +use Encode; our %color = (); &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); @@ -365,8 +366,13 @@ sub escape($) { sub cleanhtml { my $outstring =$_[0]; $outstring =~ tr/,/ / if not defined $_[1] or $_[1] ne 'y'; - - return escape($outstring); + # decode the UTF-8 text so that characters with diacritical marks such as + # umlauts are treated correctly by the escape command + $outstring = &Encode::decode("UTF-8",$outstring); + escape($outstring); + # encode the text back to UTF-8 after running the escape command + $outstring = &Encode::encode("UTF-8",$outstring); + return $outstring; } sub connectionstatus -- 2.45.2

1 2

v2 First patch series for the roadmap item "Get rid of CONFIG_TYPE in the network config"
by Jonatan Schlag 06 Jul '24

06 Jul '24

Hi list, This is the second version of the first patch series for the roadmap item: https://www.ipfire.org/docs/roadmap/get-rid-of-configtype-in-network-config . This patch series introduces a bash testing library and a function readhash, which we will use in every bash script which needs to read our config files. As this patch set is already massive, I thought it might be better to discuss the function first before I introduce it in every script. Otherwise, we would talk about 50 patches and not 18. This amount would be somehow not reviewable. I kept the [[ over the single [, as from my point of view these are far more intutive. No pathname expansion or word splitting takes place in [[ which is the saver option. See also https://google.github.io/styleguide/shellguide.html#test----and--- Patches in this series are: # The first 9 patches introduce a bash testing library [PATCH v2 01/18] tests: Add bash lib [PATCH v2 02/18] tests/lib.sh: Add function test_value_in_array [PATCH v2 03/18] tests/lib.sh: Add check if variable exists to [PATCH v2 04/18] tests/lib.sh: Add logging functions [PATCH v2 05/18] tests/lib.sh: adjust to pytest logging style [PATCH v2 06/18] test_value_in_array: Check if the key is defined [PATCH v2 07/18] tests: Add function to test the ouput of a bash [PATCH v2 08/18] test: Add functions test_that_array_is_defined [PATCH v2 09/18] tests: Add functions test_that_array_doesnt_have_key # The next patch add the readhash function [PATCH v2 10/18] initscript functions: add readhash # The next 5 Patches are concerned with error handling [PATCH v2 11/18] initscript fkt: ignore blank lines in readhash [PATCH v2 12/18] initscripts fkt: Ignore comments in readhash [PATCH v2 13/18] initscripts fkt: ignore invalid keys in readhash [PATCH v2 14/18] initscripts fkt: Check for invalid values in readhash [PATCH v2 15/18] initscripts fkt: readhash should only parse lines with a = # The title says it all: [PATCH v2 16/18] initscripts fkt: keep readhash compatible with older # Keep my linter happy [PATCH v2 17/18] initscripts fkt: Fix shebang # Check that we fail on a missing file [PATCH v2 18/18] initscripts fkt: Check that readhash returns 1 on a

1 19

[PATCH 1/2] ipblocklist-sources: Update to include the 3CORESec ip blocklists
by Adolf Belka 03 Jul '24

03 Jul '24

- The patch for this was created by Stefan Schantl - Blocklist addition was discussed and agreed at IPFire dev conf call in June 2024. - Tested on vm system. - The combined list was removed because it is just the three others which can be selected in the WUI to give the equivalent result. Created-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/ipblocklist/sources | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 0835c0f9c..69f964dd9 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -124,5 +124,23 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'info' => 'https://www.blocklist.de', 'parser' => 'ip-or-net-list', 'rate' => '30m', - 'category' => 'attacker' } + 'category' => 'attacker' }, + '3CORESEC_SSH' => { 'name' => '3CORESec SSH Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, + '3CORESEC_SCAN' => { 'name' => '3CORESec Scan and IDS Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'reputation' }, + '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/http.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' } ); -- 2.45.2

2 4

Access to IPFire git server
by jon 03 Jul '24

03 Jul '24

Michael, To continue this post about the IPFire git server: https://bugzilla.ipfire.org/show_bug.cgi?id=13254#c147 I want to use the git server but I do not think I have access. I see errors like this: ``` Connection closed by 81.3.27.45 port 22 fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` And with FileZilla I access `people.ipfire.org` and I can read and write files. But I cannot access `git.ipfire.org`. I get this error: Do I need access to `git.ipfire.org` to access the ipfire git server? Best regards, Jon

2 1

[PATCH] suricata: Update to 7.0.6
by Matthias Fischer 28 Jun '24

28 Jun '24

Excerpt from changelog: "7.0.6 -- 2024-06-26 Security #7042: defrag: id reuse can lead to invalid reassembly (7.0.x backport)(CVE 2024-37151) Security #7105: http2: oom from duplicate headers (7.0.x backport) Security #7033: http/range: segv when http.memcap is reached (7.0.x backport) Security #6988: modbus: txs without responses are never freed (7.0.x backport) Bug #7107: packet: app-layer-events incorrectly used on recycled packets (7.0.x backport) Bug #7064: util/radix-tree: Possible dereference of nullptr in case of unsuccess allocation of memory for node (7.0.x backport) Bug #7063: smtp/mime: data command rejected by pipelining server does not reset data mode (7.0.x backport) Bug #7060: smtp: split name logged as 2 names (7.0.x backport) Bug #7050: af-packet: failure to start up on many threads plus high load (7.0.x backport) Bug #7043: Crasher in HTTP chunked / StreamingBuffer (7.0.x backport) Bug #7038: pcap/log: MacOS rotates file well before limit is reached (7.0.x backport) Bug #7035: time: in offline mode, time can stay behind at pcap start (7.0.x backport) Bug #7023: unix-socket: iface-bypassed-stat crash (7.0.x backport) Bug #7021: unix-socket: hostbit commands don't properly release host (7.0.x backport) Bug #7015: rust: build with rust 1.78 with slice::from_raw_parts now requiring the pointer to be non-null (7.0.x backport) Bug #6990: tls.random buffers don't work as expected (7.0.x backport) Bug #6986: iprep: rule with '=,0' can't match (7.0.x backport) Bug #6975: detect: log relevant frames app-layer metdata (7.0.x backport) Bug #6950: decode/ppp: decoder.event.ppp.wrong_type on valid packet (7.0.x backport) Bug #6897: detect/port: upper boundary ports are not correctly handled (7.0.x backport) Bug #6895: detect/port: port grouping does not happen correctly if gap between a single and range port (7.0.x backport) Bug #6862: Lightweight rules profiling: crash when profiling ends (7.0.x backport) Bug #6848: alerts: wrongly using tx id 0 when there is no tx (7.0.x backport) Bug #6845: coverity: warning in port grouping code (7.0.x backport) Bug #6844: detect/port: port ranges are incorrect when a port is single as well as a part of range (7.0.x backport) Bug #6690: Ethernet src should match src ip (7.0.x backport) Bug #6520: detect-engine/port: recursive DetectPortInsert calls are expensive (7.0.x backport) Optimization #6830: detect/port: port grouping is quite slow in worst cases (7.0.x backport) Optimization #6829: detect/port: PortGroupWhitelist fn takes a lot of processing time (7.0.x backport) Feature #7010: JA4 support for TLS and QUIC (7.0.x backport) Feature #6557: Capability to have rules profiling on pcap run (7.0.x backport) Documentation #6910: userguide: document how to verify tar.gz signature (7.0.x backport) Documentation #6687: docs: port userguide build instruction changes from master-6.0.x (7.0.x backport) Documentation #6601: docs: update eBPF installation instructions (7.0.x backport)" Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/suricata | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/suricata b/lfs/suricata index a987fc520..88f3c4575 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@ include Config -VER = 7.0.5 +VER = 7.0.6 THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 9a44e4561edcc8909853b88779aa520a79b684ca9114479a95b2b34f8e34b6a0f5887d4b332dddb9da225335d7642089345e7f245a1ebce68f42f38126eb4b58 +$(DL_FILE)_BLAKE2 = e031eda35913f0db553ae68e6fc4173db2f0a87b2f2c60141edf09abba3eef44cdba6cca1db039c8814525ff803dd60ea13cbba7b66e57fed3ae5297f90c7b18 install : $(TARGET) -- 2.34.1

2 2

[PATCH] nano: Update to 8.0
by Matthias Fischer 26 Jun '24

26 Jun '24

For details see: https://www.nano-editor.org/news.php "2024 May 1 - GNU nano 8.0 "Grus grus" By default ^F is bound to starting a forward search, and ^B to starting a backward search, while M-F and M-B repeat the search in the corresponding direction. (See the documentation if you want the old bindings back.) Command-line option --modernbindings (-/) makes ^Q quit, ^X cut, ^C copy, ^V paste, ^Z undo, ^Y redo, ^O open a file, ^W write a file, ^R replace, ^G find again, ^D find again backwards, ^A set the mark, ^T jump to a line, ^P show the position, and ^E execute. Above modern bindings are activated also when the name of nano's executable (or a symlink to it) starts with the letter "e". To open a file at a certain line number, one can now use also nano filename:number, besides nano +number filename. <Alt+Home> and <Alt+End> put the cursor on the first and last row in the viewport, while retaining the horizontal position. When the three digits in an #RGB color code are all the same, the code is mapped to the xterm grey scale, giving access to fourteen levels of grey instead of just four. For easier access, M-" is bound to placing/removing an anchor, and M-' to jumping to the next anchor. Whenever an error occurs, the keystroke buffer is cleared, thus stopping the execution of a macro or a string bind. The mousewheel scrolls the viewport instead of moving the cursor." Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/nano | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/nano b/lfs/nano index 735f4e66f..41d87c3d9 100644 --- a/lfs/nano +++ b/lfs/nano @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 7.2 +VER = 8.0 THISAPP = nano-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = c7e3b18383e9f2f9db1f6059c875ddd164d730ea0e5b363e66fb8e5f30e8598ba49a5afd8eea3a55e295f1e43fb136019f60cc9154ae276c5d589002c0e5298a +$(DL_FILE)_BLAKE2 = ba36182da059a3ee4c1fc60a200dee26f47cc6b1441b7ff665b82871f2f8fcac054f6adf82966d353234141bf9c521518da8fa967aca28307bccf43e015ddaea install : $(TARGET) -- 2.34.1

1 0

[PATCH] bind: Update to 9.16.50
by Matthias Fischer 25 Jun '24

25 Jun '24

For details see: https://downloads.isc.org/isc/bind9/9.16.50/doc/arm/html/notes.html#notes-f… "New Features Added RESOLVER.ARPA to the built in empty zones." Important: "This is the last maintenance release of BIND 9.16. This version is now end of life. Please upgrade to BIND 9.18, the current stable version." Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/bind | 14 +++++++------- lfs/bind | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/config/rootfiles/common/bind b/config/rootfiles/common/bind index de2dc717b..86383fb74 100644 --- a/config/rootfiles/common/bind +++ b/config/rootfiles/common/bind @@ -271,24 +271,24 @@ usr/bin/nsupdate #usr/include/pk11/site.h #usr/include/pkcs11 #usr/include/pkcs11/pkcs11.h -usr/lib/libbind9-9.16.49.so +usr/lib/libbind9-9.16.50.so #usr/lib/libbind9.la #usr/lib/libbind9.so -usr/lib/libdns-9.16.49.so +usr/lib/libdns-9.16.50.so #usr/lib/libdns.la #usr/lib/libdns.so -usr/lib/libirs-9.16.49.so +usr/lib/libirs-9.16.50.so #usr/lib/libirs.la #usr/lib/libirs.so -usr/lib/libisc-9.16.49.so +usr/lib/libisc-9.16.50.so #usr/lib/libisc.la #usr/lib/libisc.so -usr/lib/libisccc-9.16.49.so +usr/lib/libisccc-9.16.50.so #usr/lib/libisccc.la #usr/lib/libisccc.so -usr/lib/libisccfg-9.16.49.so +usr/lib/libisccfg-9.16.50.so #usr/lib/libisccfg.la #usr/lib/libisccfg.so -usr/lib/libns-9.16.49.so +usr/lib/libns-9.16.50.so #usr/lib/libns.la #usr/lib/libns.so diff --git a/lfs/bind b/lfs/bind index dda8db73f..a79020f03 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ include Config -VER = 9.16.49 +VER = 9.16.50 THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -43,7 +43,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = a088e2ab29bbf2889a279f1553fbc8fc694bded1f360e4a922a24f9d0e0224dd96181691e08efed4270cfcd0ce726944f8afa41032b81433e3a1311fd1b2dd74 +$(DL_FILE)_BLAKE2 = 0464d1e246d0a5c39e20faf733b7f4ee21d192cc0ccce5bba2a22ae4303c82005ccfb319fe2da51872c7258852a747984d7327c70dec08414ab2d194c412199b install : $(TARGET) -- 2.34.1

1 0

[PATCH] update-ipblocklists: remove "<INFO> Skipping" log entries
by Jon Murphy 24 Jun '24

24 Jun '24

- Remove two <INFO> log entries from message log. Signed-off-by: Jon Murphy <jon.murphy(a)ipfire.org> --- src/scripts/update-ipblocklists | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/scripts/update-ipblocklists b/src/scripts/update-ipblocklists index a17b47999..dddde8d27 100644 --- a/src/scripts/update-ipblocklists +++ b/src/scripts/update-ipblocklists @@ -86,7 +86,7 @@ foreach my $blocklist (@blocklists) { # Check if enough time has passed since the last download of the list. if ($time <= $holdoff_time) { # To frequent updates, log to syslog. - &_log_to_syslog("<INFO> Skipping $blocklist blocklist - Too frequent update attempts!"); + # &_log_to_syslog("<INFO> Skipping $blocklist blocklist - Too frequent update attempts!"); # Skip this provider. next; @@ -100,7 +100,7 @@ foreach my $blocklist (@blocklists) { # Handle different return codes. if ($return eq "not_modified") { # Log notice to syslog. - &_log_to_syslog("<INFO> Skipping $blocklist blocklist - It has not been modified!"); + # &_log_to_syslog("<INFO> Skipping $blocklist blocklist - It has not been modified!"); } elsif ($return eq "dl_error") { # Log error to the syslog. &_log_to_syslog("<ERROR> Could not update $blocklist blocklist - Download error\!"); -- 2.30.2

4 10

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development June 2024