Hello *,
upcoming Core Update 142 (testing, see: https://blog.ipfire.org/post/ipfire-2-25-core-update-142-is-available-for-te...) is running here for about 24 hours by now without any unexpected behaviour so far.
Suricata 5.0.2 significantly decreased performance penalties when running an IPS, especially when it comes to IPsec N2N traffic encapsulating HTTP(S) content (measured ~ 4 MBit/Sec. before, ~ 11 MBit/Sec. after with some non-deterministic peaks around 20 MBit/Sec.); however, the Emerging Threats folks are currently cleaning up their free ruleset as well, which might have some impact on this, too.
Special thanks to Stefan for making this possible!
refcount_t: increment on 0; use-after-free.
still happens with Suricata 5, but Michael already blamed something else to be the root cause. ;-)
By looking at some tcpdumps, it seems like Unbound is indeed spreading its DNS queries across all configured (DNS over TLS) resolvers - which is a good thing in terms of privacy. :-) Missing TCP connection reuse still causes quite noticeable delays...
I can confirm Guardian is now blocking Apache httpd DoS sources again.
Enforcing properly signed kernel modules shows up in /var/log/bootlog as follows:
[ 2.673362] Loading compiled-in X.509 certificates [ 2.679536] Loaded X.509 cert 'IPFire.org: Build time autogenerated kernel key: 059a804f6f2ed46fe68f9b15784d5fa8a62363d4'
Possibly related:
[ 9.887006] xt_geoip: loading out-of-tree module taints kernel.
Tested IPFire functionalities in detail: - IPsec (N2N connections only) - Squid (authentication enabled, using an upstream proxy) - OpenVPN (RW connections only) - IPS/Suricata (with Emerging Threats ruleset enabled) - Guardian - Quality of Service - DNS (with DNS over TLS) - Tor (relay mode)
I look forward to the release of Core Update 142.
Thanks, and best regards, Peter Müller