Hello development folks,
Core Update 164 (testing; see: https://blog.ipfire.org/post/ipfire-2-27-core-update-164-is-available-for-te...) is running here for about three days by now without any major issues known so far.
While the updated kernel should fix XHCI issues affecting a relatively small fraction of our userbase pretty badly (see #12750), I was unable to confirm it does, as I do not have physical access to the only board affected in my environment. Also, I am not aware of any community feedback on this, too. Let's hope we'll hear about this soon...
Although not mentioned in the testing announcement due to ${reasons}, this update contains the "multiple IPS ruleset providers" by Stefan, also working fine. Thanks for that, too!
While the DROP_HOSTILE stuff works well and I have not yet read any complaint about it, there is a decent amount of apparently legitimate packets being logged (and subsequently) dropped as conntrack INVALIDs. Other users notice this as well.
I do not really see this as an issue: We now _know_ conntrack is dropping substantially more packets than we expected it to do, and can investigate on why it does this. Yay.
Tested IPFire functionalities in detail: - PPPoE dial-up via a DSL connection - IPsec (N2N connections only) - Squid (authentication enabled, using an upstream proxy) - OpenVPN (RW connections only) - IPS/Suricata (with Emerging Threats community ruleset enabled) - Guardian - Quality of Service - DNS (using DNS over TLS and strict QNAME minimisation) - Dynamic DNS - Tor (relay mode)
I am looking forward to the release of Core Update 164.
Thanks, and best regards, Peter Müller