IPFire-SCM

ipfire-scm@lists.ipfire.org

1 participants
7857 discussions

[git.ipfire.org] IPFire 2.x development tree branch, core131, updated. 0c52297641c96927eba3476851957ef0fe321ec8
by Arne Fitzenreiter 01 May '19

01 May '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, core131 has been updated via 0c52297641c96927eba3476851957ef0fe321ec8 (commit) via 0034a92ad79d6c9853216602960c8ebe22d13b21 (commit) from 9cf253e150078852877f5ee530aeb3408fa4216b (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 0c52297641c96927eba3476851957ef0fe321ec8 Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Wed May 1 17:03:06 2019 +0200 suricata: Remove PID file on stop Force the initscript to remove the PID file when calling "stop" section. If suricata crashes during startup, the PID file still remains and the service cannot be started anymore until the file has been deleted. Now when calling "stop" or "restart" the PID file will be deleted and the service can be used again. Fixes #12067. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> commit 0034a92ad79d6c9853216602960c8ebe22d13b21 Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Wed May 1 16:49:25 2019 +0200 update-ids-ruleset: Set correct ownership for the rulestarball. The script usualy will be executed by cron which will start it with root permissions, so the downloaded tarball is owned by this user. This has to be changed to the user which runs the WUI (nobody:nobody) to allow, changing the ruleset to an other one and to display the ruleset area. Fixes #12066 Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> ----------------------------------------------------------------------- Summary of changes: src/initscripts/system/suricata | 3 +++ src/scripts/update-ids-ruleset | 3 +++ 2 files changed, 6 insertions(+) Difference in files: diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index c9f131fca..38b6a40d8 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -171,6 +171,9 @@ case "$1" in # Remove suricata control socket. rm /var/run/suricata/* >/dev/null 2>/dev/null + # Trash remain pid file if still exists. + rm -f $PID_FILE >/dev/null 2>/dev/null + # Don't report returncode of rm if suricata was not started exit 0 ;; diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset index 14ea25ec6..f28a8c156 100644 --- a/src/scripts/update-ids-ruleset +++ b/src/scripts/update-ids-ruleset @@ -58,6 +58,9 @@ if(&IDS::downloadruleset()) { exit 0; } +# Set correct ownership for the downloaded tarball. +&IDS::set_ownership("$IDS::rulestarball"); + # Call oinkmaster to alter the ruleset. &IDS::oinkmaster(); hooks/post-receive -- IPFire 2.x development tree

1 0

[git.ipfire.org] IPFire 2.x development tree branch, master, updated. 0c52297641c96927eba3476851957ef0fe321ec8
by Arne Fitzenreiter 01 May '19

01 May '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, master has been updated via 0c52297641c96927eba3476851957ef0fe321ec8 (commit) via 0034a92ad79d6c9853216602960c8ebe22d13b21 (commit) from 9cf253e150078852877f5ee530aeb3408fa4216b (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 0c52297641c96927eba3476851957ef0fe321ec8 Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Wed May 1 17:03:06 2019 +0200 suricata: Remove PID file on stop Force the initscript to remove the PID file when calling "stop" section. If suricata crashes during startup, the PID file still remains and the service cannot be started anymore until the file has been deleted. Now when calling "stop" or "restart" the PID file will be deleted and the service can be used again. Fixes #12067. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> commit 0034a92ad79d6c9853216602960c8ebe22d13b21 Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Wed May 1 16:49:25 2019 +0200 update-ids-ruleset: Set correct ownership for the rulestarball. The script usualy will be executed by cron which will start it with root permissions, so the downloaded tarball is owned by this user. This has to be changed to the user which runs the WUI (nobody:nobody) to allow, changing the ruleset to an other one and to display the ruleset area. Fixes #12066 Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> ----------------------------------------------------------------------- Summary of changes: src/initscripts/system/suricata | 3 +++ src/scripts/update-ids-ruleset | 3 +++ 2 files changed, 6 insertions(+) Difference in files: diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index c9f131fca..38b6a40d8 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -171,6 +171,9 @@ case "$1" in # Remove suricata control socket. rm /var/run/suricata/* >/dev/null 2>/dev/null + # Trash remain pid file if still exists. + rm -f $PID_FILE >/dev/null 2>/dev/null + # Don't report returncode of rm if suricata was not started exit 0 ;; diff --git a/src/scripts/update-ids-ruleset b/src/scripts/update-ids-ruleset index 14ea25ec6..f28a8c156 100644 --- a/src/scripts/update-ids-ruleset +++ b/src/scripts/update-ids-ruleset @@ -58,6 +58,9 @@ if(&IDS::downloadruleset()) { exit 0; } +# Set correct ownership for the downloaded tarball. +&IDS::set_ownership("$IDS::rulestarball"); + # Call oinkmaster to alter the ruleset. &IDS::oinkmaster(); hooks/post-receive -- IPFire 2.x development tree

1 0

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 1f367e0aab3ffb1bc8d5528dc1a383142ab3d92b
by Arne Fitzenreiter 01 May '19

01 May '19

1 0

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 5a4617a8711d69ba6ce19ca05a4fd21033dc72d1
by Michael Tremer 30 Apr '19

30 Apr '19

1 0

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. a7e185c5904d3dfc0f53d42ee539991b5bf193d1
by Michael Tremer 28 Apr '19

28 Apr '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via a7e185c5904d3dfc0f53d42ee539991b5bf193d1 (commit) via 4987d0ed19a3e485a584899a6424f76813982f7a (commit) via bab38dad60b7385127a26a9beb8d3fd637e77e8c (commit) via 7f156022b50ef8add8d55bb2983cbf105e6ba976 (commit) from 20c7552e0d1453e90cd069a83c712ff29fb1cbc7 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit a7e185c5904d3dfc0f53d42ee539991b5bf193d1 Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Sun Apr 28 09:41:50 2019 +0100 grub: Fix rootfile Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit 4987d0ed19a3e485a584899a6424f76813982f7a Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Sat Apr 27 03:58:44 2019 +0100 grub: Fix relocation type issue Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit bab38dad60b7385127a26a9beb8d3fd637e77e8c Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Sat Apr 27 01:40:43 2019 +0100 ipfire-netboot: Fix compiling and linking with new GCC & binutils Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit 7f156022b50ef8add8d55bb2983cbf105e6ba976 Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Sat Apr 27 00:21:39 2019 +0100 sarg: Fix build with newer GCCs Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> ----------------------------------------------------------------------- Summary of changes: config/rootfiles/common/x86_64/grub | 2 + lfs/grub | 1 + lfs/ipfire-netboot | 2 + lfs/sarg | 3 + src/patches/grub-2.02-X86_64_PLT32.patch | 75 ++++++++++++++++++++++ ...-stringop-truncation-warning-with-gcc-8-x.patch | 32 +++++++++ src/patches/ipxe-handle-R_X86_64_PLT32.patch | 23 +++++++ src/patches/sarg/sarg-2.3.11-configure.patch | 38 +++++++++++ src/patches/sarg/sarg-2.3.11-format.patch | 52 ++++++++------- 9 files changed, 205 insertions(+), 23 deletions(-) create mode 100644 src/patches/grub-2.02-X86_64_PLT32.patch create mode 100644 src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch create mode 100644 src/patches/ipxe-handle-R_X86_64_PLT32.patch create mode 100644 src/patches/sarg/sarg-2.3.11-configure.patch Difference in files: diff --git a/config/rootfiles/common/x86_64/grub b/config/rootfiles/common/x86_64/grub index c73e33986..c6fcfc78f 100644 --- a/config/rootfiles/common/x86_64/grub +++ b/config/rootfiles/common/x86_64/grub @@ -146,6 +146,8 @@ usr/lib/grub/i386-pc/drivemap.mod usr/lib/grub/i386-pc/drivemap.module usr/lib/grub/i386-pc/echo.mod usr/lib/grub/i386-pc/echo.module +usr/lib/grub/i386-pc/efiemu.mod +usr/lib/grub/i386-pc/efiemu.module usr/lib/grub/i386-pc/ehci.mod usr/lib/grub/i386-pc/ehci.module usr/lib/grub/i386-pc/elf.mod diff --git a/lfs/grub b/lfs/grub index 56cc9b557..67a9e1002 100644 --- a/lfs/grub +++ b/lfs/grub @@ -101,6 +101,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02_disable_vga_fallback.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-xfs-accept-filesystem-with-sparse-inodes.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-fix-packed-not-aligned-error-on-gcc-8.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-X86_64_PLT32.patch # Install unifont cp -v $(DIR_DL)/unifont-7.0.03.pcf.gz $(DIR_APP)/unifont.pcf.gz diff --git a/lfs/ipfire-netboot b/lfs/ipfire-netboot index b316c9bbd..23f5d4375 100644 --- a/lfs/ipfire-netboot +++ b/lfs/ipfire-netboot @@ -77,6 +77,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Extract iPXE source cd $(DIR_APP) && tar axf $(DIR_DL)/ipxe-$(PXE_VER).tar.gz + cd $(DIR_APP)/ipxe-$(PXE_VER) && patch -Np1 < $(DIR_SRC)/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch + cd $(DIR_APP)/ipxe-$(PXE_VER) && patch -Np1 < $(DIR_SRC)/src/patches/ipxe-handle-R_X86_64_PLT32.patch cd $(DIR_APP) && rm -rfv ipxe && ln -s ipxe-$(PXE_VER) ipxe cd $(DIR_APP) && make $(MAKETUNING) bin/ipxe.lkrn ifeq "$(BUILD_ARCH)" "x86_64" diff --git a/lfs/sarg b/lfs/sarg index c35ca8df0..622f719fd 100644 --- a/lfs/sarg +++ b/lfs/sarg @@ -80,6 +80,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) $(UPDATE_AUTOMAKE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sarg/sarg-2.3.11-format.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sarg/sarg-2.3.11-configure.patch + + cd $(DIR_APP) && autoreconf -vfi # Update gettext Makefile cd $(DIR_APP) && cp -vf /usr/share/gettext/po/Makefile.in.in po/Makefile.in.in diff --git a/src/patches/grub-2.02-X86_64_PLT32.patch b/src/patches/grub-2.02-X86_64_PLT32.patch new file mode 100644 index 000000000..2c65cb78a --- /dev/null +++ b/src/patches/grub-2.02-X86_64_PLT32.patch @@ -0,0 +1,75 @@ +From 02702bdfe14d8a04643a45b03715f734ae34dbac Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools(a)gmail.com> +Date: Sat, 17 Feb 2018 06:47:28 -0800 +Subject: x86-64: Treat R_X86_64_PLT32 as R_X86_64_PC32 + +Starting from binutils commit bd7ab16b4537788ad53521c45469a1bdae84ad4a: + +https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd7ab16b4537788ad53521c45469a1bdae84ad4a + +x86-64 assembler generates R_X86_64_PLT32, instead of R_X86_64_PC32, for +32-bit PC-relative branches. Grub2 should treat R_X86_64_PLT32 as +R_X86_64_PC32. + +Signed-off-by: H.J. Lu <hjl.tools(a)gmail.com> +Reviewed-by: Daniel Kiper <daniel.kiper(a)oracle.com> + +Origin: upstream, https://git.savannah.gnu.org/cgit/grub.git/commit/?id=842c390469e2c2e10b5aa… +Last-Update: 2018-07-30 + +Patch-Name: R_X86_64_PLT32.patch +--- + grub-core/efiemu/i386/loadcore64.c | 1 + + grub-core/kern/x86_64/dl.c | 1 + + util/grub-mkimagexx.c | 1 + + util/grub-module-verifier.c | 1 + + 4 files changed, 4 insertions(+) + +diff --git a/grub-core/efiemu/i386/loadcore64.c b/grub-core/efiemu/i386/loadcore64.c +index e49d0b6ff..18facf47f 100644 +--- a/grub-core/efiemu/i386/loadcore64.c ++++ b/grub-core/efiemu/i386/loadcore64.c +@@ -98,6 +98,7 @@ grub_arch_efiemu_relocate_symbols64 (grub_efiemu_segment_t segs, + break; + + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + err = grub_efiemu_write_value (addr, + *addr32 + rel->r_addend + + sym.off +diff --git a/grub-core/kern/x86_64/dl.c b/grub-core/kern/x86_64/dl.c +index 440690673..3a73e6e6c 100644 +--- a/grub-core/kern/x86_64/dl.c ++++ b/grub-core/kern/x86_64/dl.c +@@ -70,6 +70,7 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr, + break; + + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + { + grub_int64_t value; + value = ((grub_int32_t) *addr32) + rel->r_addend + sym->st_value - +diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c +index e63f148e4..f20255a28 100644 +--- a/util/grub-mkimagexx.c ++++ b/util/grub-mkimagexx.c +@@ -832,6 +832,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections, + break; + + case R_X86_64_PC32: ++ case R_X86_64_PLT32: + { + grub_uint32_t *t32 = (grub_uint32_t *) target; + *t32 = grub_host_to_target64 (grub_target_to_host32 (*t32) +diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c +index 9179285a5..a79271f66 100644 +--- a/util/grub-module-verifier.c ++++ b/util/grub-module-verifier.c +@@ -19,6 +19,7 @@ struct grub_module_verifier_arch archs[] = { + -1 + }, (int[]){ + R_X86_64_PC32, ++ R_X86_64_PLT32, + -1 + } + }, diff --git a/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch b/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch new file mode 100644 index 000000000..af4bd5926 --- /dev/null +++ b/src/patches/ipxe-fix-stringop-truncation-warning-with-gcc-8-x.patch @@ -0,0 +1,32 @@ +From ddfb60813c74e988ba7c16dbbe1b163593c9da4e Mon Sep 17 00:00:00 2001 +From: Christian Hesse <mail(a)eworm.de> +Date: Tue, 15 May 2018 23:25:01 +0200 +Subject: [PATCH] [build] fix stringop truncation warning with GCC 8.x +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +GCC 8.x gives a warning about stringop truncation: + +util/elf2efi.c:497:2: error: ‘strncpy’ specified bound 8 equals destination +size [-Werror=stringop-truncation] + +It assumes that strncpy() is intended to copy strings, which are NULL +terminated. We do copy fixed size memory regions, so use memcpy() instead. +--- + src/util/elf2efi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/util/elf2efi.c b/src/util/elf2efi.c +index 6718df777..de3c92463 100644 +--- a/src/util/elf2efi.c ++++ b/src/util/elf2efi.c +@@ -494,7 +494,7 @@ static struct pe_section * process_section ( struct elf_file *elf, + memset ( new, 0, sizeof ( *new ) + section_filesz ); + + /* Fill in section header details */ +- strncpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) ); ++ memcpy ( ( char * ) new->hdr.Name, name, sizeof ( new->hdr.Name ) ); + new->hdr.Misc.VirtualSize = section_memsz; + new->hdr.VirtualAddress = shdr->sh_addr; + new->hdr.SizeOfRawData = section_filesz; diff --git a/src/patches/ipxe-handle-R_X86_64_PLT32.patch b/src/patches/ipxe-handle-R_X86_64_PLT32.patch new file mode 100644 index 000000000..ef2d4343e --- /dev/null +++ b/src/patches/ipxe-handle-R_X86_64_PLT32.patch @@ -0,0 +1,23 @@ +From 5dce2d454b2829431e0484ac0f993b7a2759e0df Mon Sep 17 00:00:00 2001 +From: Christian Hesse <mail(a)eworm.de> +Date: Sat, 25 Aug 2018 13:53:08 +0200 +Subject: [PATCH] [build] handle R_X86_64_PLT32 from binutils 2.31 + +Starting from binutils 2.31.0 (commit bd7ab16b) x86-64 assembler +generates R_X86_64_PLT32 instead of R_X86_64_PC32. +--- + src/util/elf2efi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/util/elf2efi.c b/src/util/elf2efi.c +index 6718df777..2c5b9df8a 100644 +--- a/src/util/elf2efi.c ++++ b/src/util/elf2efi.c +@@ -636,6 +636,7 @@ static void process_reloc ( struct elf_file *elf, const Elf_Shdr *shdr, + case ELF_MREL ( EM_ARM, R_ARM_THM_JUMP24 ) : + case ELF_MREL ( EM_ARM, R_ARM_V4BX ): + case ELF_MREL ( EM_X86_64, R_X86_64_PC32 ) : ++ case ELF_MREL ( EM_X86_64, R_X86_64_PLT32 ) : + case ELF_MREL ( EM_AARCH64, R_AARCH64_CALL26 ) : + case ELF_MREL ( EM_AARCH64, R_AARCH64_JUMP26 ) : + case ELF_MREL ( EM_AARCH64, R_AARCH64_ADR_PREL_LO21 ) : diff --git a/src/patches/sarg/sarg-2.3.11-configure.patch b/src/patches/sarg/sarg-2.3.11-configure.patch new file mode 100644 index 000000000..ca9695595 --- /dev/null +++ b/src/patches/sarg/sarg-2.3.11-configure.patch @@ -0,0 +1,38 @@ +--- sarg-2.3.11/configure.ac~ 2019-04-26 22:34:33.499022406 +0000 ++++ sarg-2.3.11/configure.ac 2019-04-26 22:35:11.886556020 +0000 +@@ -29,35 +29,6 @@ + # Report more warnings to improve code quality. + CFLAGS="${CFLAGS} -Wall -Wno-sign-compare" + +-dnl Check for supported compiler options +- +-AC_MSG_CHECKING([for extra warnings flag in $CC]) +-saved_CFLAGS="${CFLAGS}" +-CFLAGS="${CFLAGS} -Wextra -Wno-unused-parameter" +-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_extra_warnings="yes"],[have_extra_warnings="no"]) +-AC_MSG_RESULT($have_extra_warnings) +-if test "$have_extra_warnings" = "no" ; then +- CFLAGS="${saved_CFLAGS}" +-fi +- +-AC_MSG_CHECKING([for implicit-function-declaration error flag in $CC]) +-saved_CFLAGS="${CFLAGS}" +-CFLAGS="${CFLAGS} -Werror=implicit-function-declaration" +-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_implicit_function_declaration="yes"],[have_implicit_function_declaration="no"]) +-AC_MSG_RESULT($have_implicit_function_declaration) +-if test "$have_implicit_function_declaration" = "no" ; then +- CFLAGS="${saved_CFLAGS}" +-fi +- +-AC_MSG_CHECKING([for format error flag in $CC]) +-saved_CFLAGS="${CFLAGS}" +-CFLAGS="${CFLAGS} -Werror=format" +-AC_COMPILE_IFELSE([AC_LANG_SOURCE([])],[have_error_format="yes"],[have_error_format="no"]) +-AC_MSG_RESULT($have_error_format) +-if test "$have_error_format" = "no" ; then +- CFLAGS="${saved_CFLAGS}" +-fi +- + case "$host" in + *-solaris*) + LDFLAGS="${LDFLAGS} -lsocket -lnsl" diff --git a/src/patches/sarg/sarg-2.3.11-format.patch b/src/patches/sarg/sarg-2.3.11-format.patch index b03636d0c..d8ed22028 100644 --- a/src/patches/sarg/sarg-2.3.11-format.patch +++ b/src/patches/sarg/sarg-2.3.11-format.patch @@ -1,39 +1,45 @@ -diff -Naur sarg-2.3.11.org/index.c sarg-2.3.11/index.c ---- sarg-2.3.11.org/index.c 2018-01-14 19:00:22.000000000 +0100 -+++ sarg-2.3.11/index.c 2018-01-24 14:38:19.746338020 +0100 -@@ -89,9 +89,9 @@ - char monthdir[MAXLEN]; - char monthname1[9], monthname2[9]; - char nmonth[30]; -- char monthnum[10]; -+ char monthnum[15]; - char dayindex[MAXLEN]; -- char daynum[10]; -+ char daynum[15]; - char title[80]; - int yearsort[150]; - int nyears; -diff -Naur sarg-2.3.11.org/report.c sarg-2.3.11/report.c ---- sarg-2.3.11.org/report.c 2018-01-14 19:00:23.000000000 +0100 -+++ sarg-2.3.11/report.c 2018-01-24 14:38:19.742337939 +0100 +diff -wbBur sarg-2.3.11/index.c sarg-2.3.11.my/index.c +--- sarg-2.3.11/index.c 2018-01-14 21:00:22.000000000 +0300 ++++ sarg-2.3.11.my/index.c 2018-02-19 12:20:15.896203347 +0300 +@@ -208,7 +208,7 @@ + m1=month / 16; + if(month % 16 != 0) { + m2=month % 16; +- sprintf(monthnum,"%02d-%02d",m1,m2); ++ sprintf(monthnum,"%02u-%02u",(unsigned int)m1,(unsigned int)m2); + sprintf(monthname1,"%02d",m1); + sprintf(monthname2,"%02d",m2); + name_month(monthname1,sizeof(monthname1)); +@@ -269,7 +269,7 @@ + d1=day / 32; + if(day % 32 != 0) { + d2=day % 32; +- sprintf(daynum,"%02d-%02d",d1,d2); ++ sprintf(daynum,"%02u-%02u",(unsigned int)d1,(unsigned int)d2); + } else { + sprintf(daynum,"%02d",d1); + } +diff -wbBur sarg-2.3.11/report.c sarg-2.3.11.my/report.c +--- sarg-2.3.11/report.c 2018-01-14 21:00:23.000000000 +0300 ++++ sarg-2.3.11.my/report.c 2018-02-19 12:18:45.151207192 +0300 @@ -54,7 +54,7 @@ char accsmart[MAXLEN]; char crc2[MAXLEN/2 -1]; char siteind[MAX_TRUNCATED_URL]; - char arqtt[256]; -+ char arqtt[MAX_USER_FNAME_LEN * 2 + MAXLEN + 10]; ++ char arqtt[267]; char *oldurltt=NULL; char oldaccdiatt[11],oldacchoratt[9]; char tmp3[MAXLEN]; -diff -Naur sarg-2.3.11.org/userinfo.c sarg-2.3.11/userinfo.c ---- sarg-2.3.11.org/userinfo.c 2013-06-01 20:02:04.000000000 +0200 -+++ sarg-2.3.11/userinfo.c 2018-01-24 14:38:19.746338020 +0100 +diff -wbBur sarg-2.3.11/userinfo.c sarg-2.3.11.my/userinfo.c +--- sarg-2.3.11/userinfo.c 2013-06-01 22:02:04.000000000 +0400 ++++ sarg-2.3.11.my/userinfo.c 2018-02-19 12:21:16.103200796 +0300 @@ -67,7 +67,7 @@ int skip; int flen; int count, clen; - char cstr[9]; -+ char cstr[10]; ++ char cstr[11]; last=NULL; for (group=first_user_group ; group ; group=group->next) { hooks/post-receive -- IPFire 2.x development tree

1 0

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 20c7552e0d1453e90cd069a83c712ff29fb1cbc7
by Arne Fitzenreiter 26 Apr '19

26 Apr '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 20c7552e0d1453e90cd069a83c712ff29fb1cbc7 (commit) via 9cf253e150078852877f5ee530aeb3408fa4216b (commit) via 5e3067cb52bdb613a193c2c0280e07d10c30f6de (commit) via 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 (commit) via 31568a19824a5e0621cf6cb9297d2800e3b3f59e (commit) via 1f35114d7bc9e2941b15cb93bebc46f66a525e9f (commit) via d4f315677777e4b819d82eadd14af6f4d20137e5 (commit) via e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9 (commit) via a86bc6dfc6f391ed4c91a9a0ecb503da2ee8a80d (commit) via 56f6d107ff152748a0330a99ab39ad66880ff64b (commit) via 7b0c8a80af716cb8ce1abfe990b149eb60ef0498 (commit) from 2cecfd0fdb1ab4b0b7c1b9468a61c8d1d7d06961 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 20c7552e0d1453e90cd069a83c712ff29fb1cbc7 Merge: 2cecfd0fd 9cf253e15 Author: Arne Fitzenreiter <arne_f(a)ipfire.org> Date: Fri Apr 26 19:39:55 2019 +0200 Merge branch 'master' into next Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> ----------------------------------------------------------------------- Summary of changes: config/rootfiles/oldcore/131/filelists/files | 1 + html/cgi-bin/wlanap.cgi | 2 - lfs/hostapd | 2 +- src/initscripts/system/firewall | 10 ++-- src/initscripts/system/suricata | 82 ++++++++++++++++++---------- 5 files changed, 60 insertions(+), 37 deletions(-) Difference in files: diff --git a/config/rootfiles/oldcore/131/filelists/files b/config/rootfiles/oldcore/131/filelists/files index 810c67b1e..aa842b73c 100644 --- a/config/rootfiles/oldcore/131/filelists/files +++ b/config/rootfiles/oldcore/131/filelists/files @@ -19,6 +19,7 @@ srv/web/ipfire/cgi-bin/logs.cgi/ids.dat srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/remote.cgi +srv/web/ipfire/cgi-bin/services.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/ipsec-interfaces usr/local/bin/sshctrl diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi index 06ce05bfb..04b2a9491 100644 --- a/html/cgi-bin/wlanap.cgi +++ b/html/cgi-bin/wlanap.cgi @@ -388,8 +388,6 @@ print <<END  <tr><td width='25%' class='base'>$Lang::tr{'wlanap broadcast ssid'}: </td><td class='base' colspan='3'>$Lang::tr{'on'} <input type='radio' name='HIDESSID' value='off' $checked{'HIDESSID'}{'off'} /> | <input type='radio' name='HIDESSID' value='on' $checked{'HIDESSID'}{'on'} /> $Lang::tr{'off'}</td></tr> <tr><td width='25%' class='base'>$Lang::tr{'wlanap client isolation'}: </td><td class='base' colspan='3'>$Lang::tr{'on'} <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> | <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> $Lang::tr{'off'}</td></tr> - - <tr><td width='25%' class='base'>$Lang::tr{'wlanap country'}: </td><td class='base' colspan='3'> <select name='COUNTRY'> END diff --git a/lfs/hostapd b/lfs/hostapd index 14932cccb..ce399df75 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 48 +PAK_VER = 47 DEPS = "" diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index be6c9169f..da89857d8 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -186,10 +186,12 @@ iptables_init() { iptables -A FORWARD -j GUARDIAN # IPS (suricata) chains - iptables -N IPS - iptables -A INPUT -j IPS - iptables -A FORWARD -j IPS - iptables -A OUTPUT -j IPS + iptables -N IPS_INPUT + iptables -N IPS_FORWARD + iptables -N IPS_OUTPUT + iptables -A INPUT -j IPS_INPUT + iptables -A FORWARD -j IPS_FORWARD + iptables -A OUTPUT -j IPS_OUTPUT # Block non-established IPsec networks iptables -N IPSECBLOCK diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index ecd693054..c9f131fca 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -6,7 +6,7 @@ # # Author : Stefan Schantl <stefan.schantl(a)ipfire.org> # -# Version : 01.00 +# Version : 01.01 # # Notes : # @@ -20,8 +20,10 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) -# Name of the firewall chain. -FW_CHAIN="IPS" +# Name of the firewall chains. +IPS_INPUT_CHAIN="IPS_INPUT" +IPS_FORWARD_CHAIN="IPS_FORWARD" +IPS_OUTPUT_CHAIN="IPS_OUTPUT" # Optional options for the Netfilter queue. NFQ_OPTS="--queue-bypass " @@ -29,6 +31,9 @@ NFQ_OPTS="--queue-bypass " # Array containing the 4 possible network zones. network_zones=( red green blue orange ) +# Array to store the network zones weather the IPS is enabled for. +enabled_ips_zones=() + # Mark and Mask options. MARK="0x70000000" MASK="0x70000000" @@ -48,13 +53,18 @@ function get_cpu_count { echo $CPUCOUNT } +# Function to flush the firewall chains. +function flush_fw_chain { + # Call iptables and flush the chains + iptables -F "$IPS_INPUT_CHAIN" + iptables -F "$IPS_FORWARD_CHAIN" + iptables -F "$IPS_OUTPUT_CHAIN" +} + # Function to create the firewall rules to pass the traffic to suricata. function generate_fw_rules { cpu_count=$(get_cpu_count) - # Flush the firewall chain. - iptables -F "$FW_CHAIN" - # Loop through the array of network zones. for zone in "${network_zones[@]}"; do # Convert zone into upper case. @@ -79,34 +89,46 @@ function generate_fw_rules { network_device=${!zone_name} fi - # Assign NFQ_OPTS - NFQ_OPTIONS=$NFQ_OPTS - - # Check if there are multiple cpu cores available. - if [ "$cpu_count" -gt "1" ]; then - # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" - NFQ_OPTIONS+=" --queue-cpu-fanout" - else - # Send all packets to queue 0. - NFQ_OPTIONS+="--queue-num 0" - fi - - # Create firewall rules to queue the traffic and pass to - # the IDS. - iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS - iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + # Add the network device to the array of enabled zones. + enabled_ips_zones+=( "$network_device" ) fi done - # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" -} + # Assign NFQ_OPTS + NFQ_OPTIONS=$NFQ_OPTS + + # Check if there are multiple cpu cores available. + if [ "$cpu_count" -gt "1" ]; then + # Balance beetween all queues. + NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" + NFQ_OPTIONS+=" --queue-cpu-fanout" + else + # Send all packets to queue 0. + NFQ_OPTIONS+="--queue-num 0" + fi + + # Flush the firewall chains. + flush_fw_chain + + # Check if the array of enabled_ips_zones contains any elements. + if [[ ${enabled_ips_zones[@]} ]]; then + # Loop through the array and create firewall rules. + for enabled_ips_zone in "${enabled_ips_zones[@]}"; do + # Create rules queue input and output related traffic and pass it to the IPS. + iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + + # Create rules which are required to handle forwarded traffic. + for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + done + done -# Function to flush the firewall chain. -function flush_fw_chain { - # Call iptables and flush the chain - iptables -F "$FW_CHAIN" + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + fi } case "$1" in hooks/post-receive -- IPFire 2.x development tree

1 0

[git.ipfire.org] IPFire 2.x development tree branch, master, updated. 9cf253e150078852877f5ee530aeb3408fa4216b
by Arne Fitzenreiter 26 Apr '19

26 Apr '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, master has been updated via 9cf253e150078852877f5ee530aeb3408fa4216b (commit) via 5e3067cb52bdb613a193c2c0280e07d10c30f6de (commit) via 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 (commit) via 31568a19824a5e0621cf6cb9297d2800e3b3f59e (commit) via 1f35114d7bc9e2941b15cb93bebc46f66a525e9f (commit) via d4f315677777e4b819d82eadd14af6f4d20137e5 (commit) via e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9 (commit) via a86bc6dfc6f391ed4c91a9a0ecb503da2ee8a80d (commit) via 56f6d107ff152748a0330a99ab39ad66880ff64b (commit) via 7b0c8a80af716cb8ce1abfe990b149eb60ef0498 (commit) from c33a6e7103b191efbff2590976e36bb4cfde47e7 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 9cf253e150078852877f5ee530aeb3408fa4216b Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Thu Apr 25 19:31:48 2019 +0200 initscripts/suricata: Rework creation of firewall rules. The script now will use the previously introduced seperate firewall chains called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT. The commit also creates an AND connection between the choosen network zones in the UI and the final firwall rules. Fixes #12062. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> commit 5e3067cb52bdb613a193c2c0280e07d10c30f6de Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Thu Apr 25 19:31:47 2019 +0200 initscripts/suricata: Move functions order and always use flush_fw_chain function Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> commit 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Thu Apr 25 19:31:46 2019 +0200 firewall: Use seperate firewall chains for passing traffic to the IPS Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT to be more flexible which kind of traffic should be passed to suricata. Reference #12062 Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> commit 31568a19824a5e0621cf6cb9297d2800e3b3f59e Author: Arne Fitzenreiter <arne_f(a)ipfire.org> Date: Fri Apr 26 07:43:21 2019 +0200 hostapd: bump package version Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> commit 1f35114d7bc9e2941b15cb93bebc46f66a525e9f Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Wed Apr 24 11:24:33 2019 +0100 hostap: Fix wiring of checkboxes for client isolation The checkboxes were swapped which lead to client isolation being enabled when the UI said disabled and vice-versa. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit d4f315677777e4b819d82eadd14af6f4d20137e5 Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Tue Apr 23 20:33:02 2019 +0200 convert-snort: Fix ownership of the generated homenet file. Fixes #12059. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit e8a28edbea9f2b6b8d0d2f47d56f548cc1e5e2d9 Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Tue Apr 23 21:27:53 2019 +0200 suricata: Use device ppp0 if PPPoE dialin is used. Fixes #12058. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit a86bc6dfc6f391ed4c91a9a0ecb503da2ee8a80d Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Tue Apr 23 20:45:42 2019 +0100 suricata: EXTERNAL_NET should equal any This enables that we scan servers in ORANGE for clients in GREEN which absolutely makes sense. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit 56f6d107ff152748a0330a99ab39ad66880ff64b Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Sun Apr 21 01:32:07 2019 +0100 suricata: Do not always convert rules to be bi-directional This creates some overhead that we do not need and rules need to be adjusted to match any direction they are supposed to match. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit 7b0c8a80af716cb8ce1abfe990b149eb60ef0498 Author: Arne Fitzenreiter <arne_f(a)ipfire.org> Date: Tue Apr 23 19:21:30 2019 +0200 core131: add services.cgi to update Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> ----------------------------------------------------------------------- Summary of changes: config/cfgroot/ids-functions.pl | 3 - config/rootfiles/core/131/filelists/files | 1 + config/suricata/convert-snort | 3 + config/suricata/suricata.yaml | 3 +- html/cgi-bin/wlanap.cgi | 2 +- lfs/hostapd | 2 +- src/initscripts/system/firewall | 10 ++-- src/initscripts/system/suricata | 94 +++++++++++++++++++++---------- 8 files changed, 76 insertions(+), 42 deletions(-) Difference in files: diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 5496df1a9..deb287bb7 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -742,9 +742,6 @@ sub write_modify_sids_file($) { # Write file header. print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; - # Tune rules to monitor in both directions. - print FILE "modifysid \* \"\-\>\" \| \"\<\>\"\n"; - # Check if the traffic only should be monitored. unless($ruleaction eq "alert") { # Tell oinkmaster to switch all rules from alert to drop. diff --git a/config/rootfiles/core/131/filelists/files b/config/rootfiles/core/131/filelists/files index 810c67b1e..aa842b73c 100644 --- a/config/rootfiles/core/131/filelists/files +++ b/config/rootfiles/core/131/filelists/files @@ -19,6 +19,7 @@ srv/web/ipfire/cgi-bin/logs.cgi/ids.dat srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/remote.cgi +srv/web/ipfire/cgi-bin/services.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi usr/local/bin/ipsec-interfaces usr/local/bin/sshctrl diff --git a/config/suricata/convert-snort b/config/suricata/convert-snort index 0ad2942b1..83931fa5b 100644 --- a/config/suricata/convert-snort +++ b/config/suricata/convert-snort @@ -259,6 +259,9 @@ if (-f $IDS::rulestarball) { # Call subfunction to generate the file. &IDS::generate_home_net_file(); +# Set correct ownership for the homenet file. +&IDS::set_ownership("$IDS::homenet_file"); + # ## Step 9: Setup automatic ruleset updates. # diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index e7e27c731..7252e10b9 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -11,8 +11,7 @@ vars: # Include HOME_NET declaration from external file. include: /var/ipfire/suricata/suricata-homenet.yaml - EXTERNAL_NET: "!$HOME_NET" - #EXTERNAL_NET: "any" + EXTERNAL_NET: "any" HTTP_SERVERS: "$HOME_NET" SMTP_SERVERS: "$HOME_NET" diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi index 44b0b4053..abee0c3cb 100644 --- a/html/cgi-bin/wlanap.cgi +++ b/html/cgi-bin/wlanap.cgi @@ -382,7 +382,7 @@ print <<END <tr><td width='25%' class='base'>SSID: </td><td class='base' colspan='3'><input type='text' name='SSID' size='30' value='$wlanapsettings{'SSID'}' /></td></tr>  <tr><td width='25%' class='base'>SSID Broadcast: </td><td class='base' colspan='3'>on <input type='radio' name='HIDESSID' value='off' $checked{'HIDESSID'}{'off'} /> | <input type='radio' name='HIDESSID' value='on' $checked{'HIDESSID'}{'on'} /> off</td></tr> -<tr><td width='25%' class='base'>Client Isolation: </td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> | <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> off</td></tr> +<tr><td width='25%' class='base'>Client Isolation: </td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> | <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> off</td></tr> <tr><td width='25%' class='base'>$Lang::tr{'wlanap country'}: </td><td class='base' colspan='3'> diff --git a/lfs/hostapd b/lfs/hostapd index 64ff28e4b..c2830b88a 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 45 +PAK_VER = 46 DEPS = "" diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index be6c9169f..da89857d8 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -186,10 +186,12 @@ iptables_init() { iptables -A FORWARD -j GUARDIAN # IPS (suricata) chains - iptables -N IPS - iptables -A INPUT -j IPS - iptables -A FORWARD -j IPS - iptables -A OUTPUT -j IPS + iptables -N IPS_INPUT + iptables -N IPS_FORWARD + iptables -N IPS_OUTPUT + iptables -A INPUT -j IPS_INPUT + iptables -A FORWARD -j IPS_FORWARD + iptables -A OUTPUT -j IPS_OUTPUT # Block non-established IPsec networks iptables -N IPSECBLOCK diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 16548753e..c9f131fca 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -6,7 +6,7 @@ # # Author : Stefan Schantl <stefan.schantl(a)ipfire.org> # -# Version : 01.00 +# Version : 01.01 # # Notes : # @@ -18,9 +18,12 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) +eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) -# Name of the firewall chain. -FW_CHAIN="IPS" +# Name of the firewall chains. +IPS_INPUT_CHAIN="IPS_INPUT" +IPS_FORWARD_CHAIN="IPS_FORWARD" +IPS_OUTPUT_CHAIN="IPS_OUTPUT" # Optional options for the Netfilter queue. NFQ_OPTS="--queue-bypass " @@ -28,6 +31,9 @@ NFQ_OPTS="--queue-bypass " # Array containing the 4 possible network zones. network_zones=( red green blue orange ) +# Array to store the network zones weather the IPS is enabled for. +enabled_ips_zones=() + # Mark and Mask options. MARK="0x70000000" MASK="0x70000000" @@ -47,13 +53,18 @@ function get_cpu_count { echo $CPUCOUNT } +# Function to flush the firewall chains. +function flush_fw_chain { + # Call iptables and flush the chains + iptables -F "$IPS_INPUT_CHAIN" + iptables -F "$IPS_FORWARD_CHAIN" + iptables -F "$IPS_OUTPUT_CHAIN" +} + # Function to create the firewall rules to pass the traffic to suricata. function generate_fw_rules { cpu_count=$(get_cpu_count) - # Flush the firewall chain. - iptables -F "$FW_CHAIN" - # Loop through the array of network zones. for zone in "${network_zones[@]}"; do # Convert zone into upper case. @@ -65,38 +76,59 @@ function generate_fw_rules { # Check if the IDS is enabled for this network zone. if [ "${!enable_ids_zone}" == "on" ]; then - # Generate name of the network interface. - network_device=$zone - network_device+="0" - - # Assign NFQ_OPTS - NFQ_OPTIONS=$NFQ_OPTS - - # Check if there are multiple cpu cores available. - if [ "$cpu_count" -gt "1" ]; then - # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" - NFQ_OPTIONS+=" --queue-cpu-fanout" + # Check if the current processed zone is "red" and the configured type is PPPoE dialin. + if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ]; then + # Set device name to ppp0. + network_device="ppp0" else - # Send all packets to queue 0. - NFQ_OPTIONS+="--queue-num 0" + # Generate variable name which contains the device name. + zone_name="$zone_upper" + zone_name+="_DEV" + + # Grab device name. + network_device=${!zone_name} fi - # Create firewall rules to queue the traffic and pass to - # the IDS. - iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS - iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + # Add the network device to the array of enabled zones. + enabled_ips_zones+=( "$network_device" ) fi done - # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" -} + # Assign NFQ_OPTS + NFQ_OPTIONS=$NFQ_OPTS + + # Check if there are multiple cpu cores available. + if [ "$cpu_count" -gt "1" ]; then + # Balance beetween all queues. + NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" + NFQ_OPTIONS+=" --queue-cpu-fanout" + else + # Send all packets to queue 0. + NFQ_OPTIONS+="--queue-num 0" + fi + + # Flush the firewall chains. + flush_fw_chain + + # Check if the array of enabled_ips_zones contains any elements. + if [[ ${enabled_ips_zones[@]} ]]; then + # Loop through the array and create firewall rules. + for enabled_ips_zone in "${enabled_ips_zones[@]}"; do + # Create rules queue input and output related traffic and pass it to the IPS. + iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + + # Create rules which are required to handle forwarded traffic. + for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + done + done -# Function to flush the firewall chain. -function flush_fw_chain { - # Call iptables and flush the chain - iptables -F "$FW_CHAIN" + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + fi } case "$1" in hooks/post-receive -- IPFire 2.x development tree

1 0

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 2cecfd0fdb1ab4b0b7c1b9468a61c8d1d7d06961
by Michael Tremer 26 Apr '19

26 Apr '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 2cecfd0fdb1ab4b0b7c1b9468a61c8d1d7d06961 (commit) via 452d2b6eaa31c1e0aee0bc1da61ebe5cb5538710 (commit) via 999e17bf9e8e3c94bc13b1c417311b23bc6abb39 (commit) via a0c9850c770ef905305766dcc206267c12cdd143 (commit) via 95028c1ce2458970a3dd6a0e16e5b0b363222df2 (commit) from 948173dbb4e1451c15ed622f2ba64bcd7d105132 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 2cecfd0fdb1ab4b0b7c1b9468a61c8d1d7d06961 Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Fri Apr 26 16:11:17 2019 +0100 grub: Fix build error with GCC 8 Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit 452d2b6eaa31c1e0aee0bc1da61ebe5cb5538710 Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Fri Apr 26 16:10:25 2019 +0100 grub: Disable efiemu on PC builds This won't compile with GCC 8 and we do not need it Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit 999e17bf9e8e3c94bc13b1c417311b23bc6abb39 Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Fri Apr 26 16:05:20 2019 +0100 nasm: Update to 2.14.02 Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit a0c9850c770ef905305766dcc206267c12cdd143 Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Fri Apr 26 16:06:10 2019 +0100 ltrace: Bump package version This package needs to be rebuilt because it uses elfutils which has had an soname bump. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> commit 95028c1ce2458970a3dd6a0e16e5b0b363222df2 Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Fri Apr 26 16:04:48 2019 +0100 elfutils: Update to 0.176 Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> ----------------------------------------------------------------------- Summary of changes: config/rootfiles/common/i586/grub | 2 - config/rootfiles/common/x86_64/grub | 4 -- config/rootfiles/packages/elfutils | 36 ++++++----- lfs/elfutils | 6 +- lfs/grub | 3 +- lfs/ltrace | 2 +- lfs/nasm | 4 +- ....02-fix-packed-not-aligned-error-on-gcc-8.patch | 72 ++++++++++++++++++++++ 8 files changed, 99 insertions(+), 30 deletions(-) create mode 100644 src/patches/grub-2.02-fix-packed-not-aligned-error-on-gcc-8.patch Difference in files: diff --git a/config/rootfiles/common/i586/grub b/config/rootfiles/common/i586/grub index bc28d4593..d8bd62113 100644 --- a/config/rootfiles/common/i586/grub +++ b/config/rootfiles/common/i586/grub @@ -146,8 +146,6 @@ usr/lib/grub/i386-pc #usr/lib/grub/i386-pc/drivemap.module #usr/lib/grub/i386-pc/echo.mod #usr/lib/grub/i386-pc/echo.module -#usr/lib/grub/i386-pc/efiemu.mod -#usr/lib/grub/i386-pc/efiemu.module #usr/lib/grub/i386-pc/ehci.mod #usr/lib/grub/i386-pc/ehci.module #usr/lib/grub/i386-pc/elf.mod diff --git a/config/rootfiles/common/x86_64/grub b/config/rootfiles/common/x86_64/grub index d64a98819..c73e33986 100644 --- a/config/rootfiles/common/x86_64/grub +++ b/config/rootfiles/common/x86_64/grub @@ -146,10 +146,6 @@ usr/lib/grub/i386-pc/drivemap.mod usr/lib/grub/i386-pc/drivemap.module usr/lib/grub/i386-pc/echo.mod usr/lib/grub/i386-pc/echo.module -usr/lib/grub/i386-pc/efiemu.mod -usr/lib/grub/i386-pc/efiemu.module -usr/lib/grub/i386-pc/efiemu32.o -usr/lib/grub/i386-pc/efiemu64.o usr/lib/grub/i386-pc/ehci.mod usr/lib/grub/i386-pc/ehci.module usr/lib/grub/i386-pc/elf.mod diff --git a/config/rootfiles/packages/elfutils b/config/rootfiles/packages/elfutils index ac6d1ccc2..e5b1124a5 100644 --- a/config/rootfiles/packages/elfutils +++ b/config/rootfiles/packages/elfutils @@ -28,44 +28,46 @@ usr/bin/eu-unstrip #usr/include/libelf.h #usr/include/nlist.h usr/lib/elfutils -#usr/lib/elfutils/libebl_aarch64-0.168.so +usr/lib/elfutils/libebl_aarch64-0.176.so #usr/lib/elfutils/libebl_aarch64.so -#usr/lib/elfutils/libebl_alpha-0.168.so +usr/lib/elfutils/libebl_alpha-0.176.so #usr/lib/elfutils/libebl_alpha.so -#usr/lib/elfutils/libebl_arm-0.168.so +usr/lib/elfutils/libebl_arm-0.176.so #usr/lib/elfutils/libebl_arm.so -#usr/lib/elfutils/libebl_bpf-0.168.so +usr/lib/elfutils/libebl_bpf-0.176.so #usr/lib/elfutils/libebl_bpf.so -#usr/lib/elfutils/libebl_i386-0.168.so +usr/lib/elfutils/libebl_i386-0.176.so #usr/lib/elfutils/libebl_i386.so -#usr/lib/elfutils/libebl_ia64-0.168.so +usr/lib/elfutils/libebl_ia64-0.176.so #usr/lib/elfutils/libebl_ia64.so -#usr/lib/elfutils/libebl_m68k-0.168.so +usr/lib/elfutils/libebl_m68k-0.176.so #usr/lib/elfutils/libebl_m68k.so -#usr/lib/elfutils/libebl_ppc-0.168.so +usr/lib/elfutils/libebl_ppc-0.176.so #usr/lib/elfutils/libebl_ppc.so -#usr/lib/elfutils/libebl_ppc64-0.168.so +usr/lib/elfutils/libebl_ppc64-0.176.so #usr/lib/elfutils/libebl_ppc64.so -#usr/lib/elfutils/libebl_s390-0.168.so +usr/lib/elfutils/libebl_riscv-0.176.so +#usr/lib/elfutils/libebl_riscv.so +usr/lib/elfutils/libebl_s390-0.176.so #usr/lib/elfutils/libebl_s390.so -#usr/lib/elfutils/libebl_sh-0.168.so +usr/lib/elfutils/libebl_sh-0.176.so #usr/lib/elfutils/libebl_sh.so -#usr/lib/elfutils/libebl_sparc-0.168.so +usr/lib/elfutils/libebl_sparc-0.176.so #usr/lib/elfutils/libebl_sparc.so -#usr/lib/elfutils/libebl_tilegx-0.168.so +usr/lib/elfutils/libebl_tilegx-0.176.so #usr/lib/elfutils/libebl_tilegx.so -#usr/lib/elfutils/libebl_x86_64-0.168.so +usr/lib/elfutils/libebl_x86_64-0.176.so #usr/lib/elfutils/libebl_x86_64.so -usr/lib/libasm-0.168.so +usr/lib/libasm-0.176.so #usr/lib/libasm.a usr/lib/libasm.so usr/lib/libasm.so.1 -usr/lib/libdw-0.168.so +usr/lib/libdw-0.176.so #usr/lib/libdw.a usr/lib/libdw.so usr/lib/libdw.so.1 #usr/lib/libebl.a -usr/lib/libelf-0.168.so +usr/lib/libelf-0.176.so #usr/lib/libelf.a usr/lib/libelf.so usr/lib/libelf.so.1 diff --git a/lfs/elfutils b/lfs/elfutils index de11fb570..f72d11531 100644 --- a/lfs/elfutils +++ b/lfs/elfutils @@ -24,7 +24,7 @@ include Config -VER = 0.168 +VER = 0.176 THISAPP = elfutils-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = elfutils -PAK_VER = 1 +PAK_VER = 2 DEPS = "" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 52adfa40758d0d39e5d5c57689bf38d6 +$(DL_FILE)_MD5 = 077e4f49320cad82bf17a997068b1db9 install : $(TARGET) diff --git a/lfs/grub b/lfs/grub index e6131f2f5..56cc9b557 100644 --- a/lfs/grub +++ b/lfs/grub @@ -100,6 +100,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02_disable_vga_fallback.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-xfs-accept-filesystem-with-sparse-inodes.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/grub-2.02-fix-packed-not-aligned-error-on-gcc-8.patch # Install unifont cp -v $(DIR_DL)/unifont-7.0.03.pcf.gz $(DIR_APP)/unifont.pcf.gz @@ -115,7 +116,7 @@ endif ifeq "$(BUILD_PC)" "1" cp -r $(DIR_APP) $(DIR_APP_PC) cd $(DIR_APP_PC) && ./configure $(CONFIGURE_ARGS) \ - --with-platform=pc CFLAGS= LDFLAGS= + --with-platform=pc --disable-efiemu CFLAGS= LDFLAGS= cd $(DIR_APP_PC) && make $(MAKETUNING) cd $(DIR_APP_PC) && make install diff --git a/lfs/ltrace b/lfs/ltrace index d479910de..1ac7981ea 100644 --- a/lfs/ltrace +++ b/lfs/ltrace @@ -33,7 +33,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = ltrace -PAK_VER = 1 +PAK_VER = 2 DEPS = "elfutils" diff --git a/lfs/nasm b/lfs/nasm index e17561684..fd397e710 100644 --- a/lfs/nasm +++ b/lfs/nasm @@ -24,7 +24,7 @@ include Config -VER = 2.13.02 +VER = 2.14.02 THISAPP = nasm-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = abb79a82fa30908217e30f76eca8a557 +$(DL_FILE)_MD5 = 6390bd67b07ff1df9fe628b6929c0353 install : $(TARGET) diff --git a/src/patches/grub-2.02-fix-packed-not-aligned-error-on-gcc-8.patch b/src/patches/grub-2.02-fix-packed-not-aligned-error-on-gcc-8.patch new file mode 100644 index 000000000..51ee7dc86 --- /dev/null +++ b/src/patches/grub-2.02-fix-packed-not-aligned-error-on-gcc-8.patch @@ -0,0 +1,72 @@ +From 563b1da6e6ae7af46cc8354cadb5dab416989f0a Mon Sep 17 00:00:00 2001 +From: Michael Chang <mchang(a)suse.com> +Date: Mon, 26 Mar 2018 16:52:34 +0800 +Subject: Fix packed-not-aligned error on GCC 8 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When building with GCC 8, there are several errors regarding packed-not-aligned. + +./include/grub/gpt_partition.h:79:1: error: alignment 1 of ‘struct grub_gpt_partentry’ is less than 8 [-Werror=packed-not-aligned] + +This patch fixes the build error by cleaning up the ambiguity of placing +aligned structure in a packed one. In "struct grub_btrfs_time" and "struct +grub_gpt_part_type", the aligned attribute seems to be superfluous, and also +has to be packed, to ensure the structure is bit-to-bit mapped to the format +laid on disk. I think we could blame to copy and paste error here for the +mistake. In "struct efi_variable", we have to use grub_efi_packed_guid_t, as +the name suggests. :) + +Signed-off-by: Michael Chang <mchang(a)suse.com> +Tested-by: Michael Chang <mchang(a)suse.com> +Tested-by: Paul Menzel <paulepanter(a)users.sourceforge.net> +Reviewed-by: Daniel Kiper <daniel.kiper(a)oracle.com> +--- + grub-core/fs/btrfs.c | 2 +- + include/grub/efiemu/runtime.h | 2 +- + include/grub/gpt_partition.h | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c +index 4849c1c..be19544 100644 +--- a/grub-core/fs/btrfs.c ++++ b/grub-core/fs/btrfs.c +@@ -175,7 +175,7 @@ struct grub_btrfs_time + { + grub_int64_t sec; + grub_uint32_t nanosec; +-} __attribute__ ((aligned (4))); ++} GRUB_PACKED; + + struct grub_btrfs_inode + { +diff --git a/include/grub/efiemu/runtime.h b/include/grub/efiemu/runtime.h +index 9b6b729..36d2ded 100644 +--- a/include/grub/efiemu/runtime.h ++++ b/include/grub/efiemu/runtime.h +@@ -29,7 +29,7 @@ struct grub_efiemu_ptv_rel + + struct efi_variable + { +- grub_efi_guid_t guid; ++ grub_efi_packed_guid_t guid; + grub_uint32_t namelen; + grub_uint32_t size; + grub_efi_uint32_t attributes; +diff --git a/include/grub/gpt_partition.h b/include/grub/gpt_partition.h +index 1b32f67..9668a68 100644 +--- a/include/grub/gpt_partition.h ++++ b/include/grub/gpt_partition.h +@@ -28,7 +28,7 @@ struct grub_gpt_part_type + grub_uint16_t data2; + grub_uint16_t data3; + grub_uint8_t data4[8]; +-} __attribute__ ((aligned(8))); ++} GRUB_PACKED; + typedef struct grub_gpt_part_type grub_gpt_part_type_t; + + #define GRUB_GPT_PARTITION_TYPE_EMPTY \ +-- +cgit v1.0-41-gc330 + hooks/post-receive -- IPFire 2.x development tree

1 0

[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 948173dbb4e1451c15ed622f2ba64bcd7d105132
by Michael Tremer 26 Apr '19

26 Apr '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 948173dbb4e1451c15ed622f2ba64bcd7d105132 (commit) from c72171403609ca7109b6f293be3f9f771ab4abba (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 948173dbb4e1451c15ed622f2ba64bcd7d105132 Author: Erik Kapfer <ummeegge(a)ipfire.org> Date: Fri Apr 26 17:08:35 2019 +0200 OpenVPN: Fixed certificate generation in French Fixes #12060 Signed-off-by: Erik Kapfer <ummeegge(a)ipfire.org> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> ----------------------------------------------------------------------- Summary of changes: langs/fr/cgi-bin/fr.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Difference in files: diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index b4ecf32fa..e6376f505 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -1284,7 +1284,7 @@ 'generate a certificate' => 'Générer un certificat :', 'generate dh key' => 'Générer paramètres Diffie-Hellman', 'generate iso' => 'Générer ISO', -'generate root/host certificates' => 'Générer des certificats root / hôte ', +'generate root/host certificates' => 'Générer des certificats root / hôte', 'generate tripwire keys and init' => 'Générer des clef Tripwire et init', 'generatekeys' => 'Générer des clefs', 'generatepolicy' => 'Générer une nouvelle politique', hooks/post-receive -- IPFire 2.x development tree

1 0

[git.ipfire.org] IPFire 2.x development tree branch, core131, updated. 9cf253e150078852877f5ee530aeb3408fa4216b
by Arne Fitzenreiter 26 Apr '19

26 Apr '19

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, core131 has been updated via 9cf253e150078852877f5ee530aeb3408fa4216b (commit) via 5e3067cb52bdb613a193c2c0280e07d10c30f6de (commit) via 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 (commit) via 31568a19824a5e0621cf6cb9297d2800e3b3f59e (commit) via 1f35114d7bc9e2941b15cb93bebc46f66a525e9f (commit) from d4f315677777e4b819d82eadd14af6f4d20137e5 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 9cf253e150078852877f5ee530aeb3408fa4216b Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Thu Apr 25 19:31:48 2019 +0200 initscripts/suricata: Rework creation of firewall rules. The script now will use the previously introduced seperate firewall chains called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT. The commit also creates an AND connection between the choosen network zones in the UI and the final firwall rules. Fixes #12062. Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> commit 5e3067cb52bdb613a193c2c0280e07d10c30f6de Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Thu Apr 25 19:31:47 2019 +0200 initscripts/suricata: Move functions order and always use flush_fw_chain function Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> commit 686c4b9f25d2c2edfc4fe851f84a78e04eaee330 Author: Stefan Schantl <stefan.schantl(a)ipfire.org> Date: Thu Apr 25 19:31:46 2019 +0200 firewall: Use seperate firewall chains for passing traffic to the IPS Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_OUTPUT to be more flexible which kind of traffic should be passed to suricata. Reference #12062 Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> commit 31568a19824a5e0621cf6cb9297d2800e3b3f59e Author: Arne Fitzenreiter <arne_f(a)ipfire.org> Date: Fri Apr 26 07:43:21 2019 +0200 hostapd: bump package version Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org> commit 1f35114d7bc9e2941b15cb93bebc46f66a525e9f Author: Michael Tremer <michael.tremer(a)ipfire.org> Date: Wed Apr 24 11:24:33 2019 +0100 hostap: Fix wiring of checkboxes for client isolation The checkboxes were swapped which lead to client isolation being enabled when the UI said disabled and vice-versa. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> ----------------------------------------------------------------------- Summary of changes: html/cgi-bin/wlanap.cgi | 2 +- lfs/hostapd | 2 +- src/initscripts/system/firewall | 10 +++-- src/initscripts/system/suricata | 82 ++++++++++++++++++++++++++--------------- 4 files changed, 60 insertions(+), 36 deletions(-) Difference in files: diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi index 44b0b4053..abee0c3cb 100644 --- a/html/cgi-bin/wlanap.cgi +++ b/html/cgi-bin/wlanap.cgi @@ -382,7 +382,7 @@ print <<END <tr><td width='25%' class='base'>SSID: </td><td class='base' colspan='3'><input type='text' name='SSID' size='30' value='$wlanapsettings{'SSID'}' /></td></tr>  <tr><td width='25%' class='base'>SSID Broadcast: </td><td class='base' colspan='3'>on <input type='radio' name='HIDESSID' value='off' $checked{'HIDESSID'}{'off'} /> | <input type='radio' name='HIDESSID' value='on' $checked{'HIDESSID'}{'on'} /> off</td></tr> -<tr><td width='25%' class='base'>Client Isolation: </td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> | <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> off</td></tr> +<tr><td width='25%' class='base'>Client Isolation: </td><td class='base' colspan='3'>on <input type='radio' name='CLIENTISOLATION' value='on' $checked{'CLIENTISOLATION'}{'on'} /> | <input type='radio' name='CLIENTISOLATION' value='off' $checked{'CLIENTISOLATION'}{'off'} /> off</td></tr> <tr><td width='25%' class='base'>$Lang::tr{'wlanap country'}: </td><td class='base' colspan='3'> diff --git a/lfs/hostapd b/lfs/hostapd index 64ff28e4b..c2830b88a 100644 --- a/lfs/hostapd +++ b/lfs/hostapd @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = hostapd -PAK_VER = 45 +PAK_VER = 46 DEPS = "" diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index be6c9169f..da89857d8 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -186,10 +186,12 @@ iptables_init() { iptables -A FORWARD -j GUARDIAN # IPS (suricata) chains - iptables -N IPS - iptables -A INPUT -j IPS - iptables -A FORWARD -j IPS - iptables -A OUTPUT -j IPS + iptables -N IPS_INPUT + iptables -N IPS_FORWARD + iptables -N IPS_OUTPUT + iptables -A INPUT -j IPS_INPUT + iptables -A FORWARD -j IPS_FORWARD + iptables -A OUTPUT -j IPS_OUTPUT # Block non-established IPsec networks iptables -N IPSECBLOCK diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index ecd693054..c9f131fca 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -6,7 +6,7 @@ # # Author : Stefan Schantl <stefan.schantl(a)ipfire.org> # -# Version : 01.00 +# Version : 01.01 # # Notes : # @@ -20,8 +20,10 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings) eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) -# Name of the firewall chain. -FW_CHAIN="IPS" +# Name of the firewall chains. +IPS_INPUT_CHAIN="IPS_INPUT" +IPS_FORWARD_CHAIN="IPS_FORWARD" +IPS_OUTPUT_CHAIN="IPS_OUTPUT" # Optional options for the Netfilter queue. NFQ_OPTS="--queue-bypass " @@ -29,6 +31,9 @@ NFQ_OPTS="--queue-bypass " # Array containing the 4 possible network zones. network_zones=( red green blue orange ) +# Array to store the network zones weather the IPS is enabled for. +enabled_ips_zones=() + # Mark and Mask options. MARK="0x70000000" MASK="0x70000000" @@ -48,13 +53,18 @@ function get_cpu_count { echo $CPUCOUNT } +# Function to flush the firewall chains. +function flush_fw_chain { + # Call iptables and flush the chains + iptables -F "$IPS_INPUT_CHAIN" + iptables -F "$IPS_FORWARD_CHAIN" + iptables -F "$IPS_OUTPUT_CHAIN" +} + # Function to create the firewall rules to pass the traffic to suricata. function generate_fw_rules { cpu_count=$(get_cpu_count) - # Flush the firewall chain. - iptables -F "$FW_CHAIN" - # Loop through the array of network zones. for zone in "${network_zones[@]}"; do # Convert zone into upper case. @@ -79,34 +89,46 @@ function generate_fw_rules { network_device=${!zone_name} fi - # Assign NFQ_OPTS - NFQ_OPTIONS=$NFQ_OPTS - - # Check if there are multiple cpu cores available. - if [ "$cpu_count" -gt "1" ]; then - # Balance beetween all queues. - NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" - NFQ_OPTIONS+=" --queue-cpu-fanout" - else - # Send all packets to queue 0. - NFQ_OPTIONS+="--queue-num 0" - fi - - # Create firewall rules to queue the traffic and pass to - # the IDS. - iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS - iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + # Add the network device to the array of enabled zones. + enabled_ips_zones+=( "$network_device" ) fi done - # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -A "${FW_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" -} + # Assign NFQ_OPTS + NFQ_OPTIONS=$NFQ_OPTS + + # Check if there are multiple cpu cores available. + if [ "$cpu_count" -gt "1" ]; then + # Balance beetween all queues. + NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))" + NFQ_OPTIONS+=" --queue-cpu-fanout" + else + # Send all packets to queue 0. + NFQ_OPTIONS+="--queue-num 0" + fi + + # Flush the firewall chains. + flush_fw_chain + + # Check if the array of enabled_ips_zones contains any elements. + if [[ ${enabled_ips_zones[@]} ]]; then + # Loop through the array and create firewall rules. + for enabled_ips_zone in "${enabled_ips_zones[@]}"; do + # Create rules queue input and output related traffic and pass it to the IPS. + iptables -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + + # Create rules which are required to handle forwarded traffic. + for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do + iptables -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + done + done -# Function to flush the firewall chain. -function flush_fw_chain { - # Call iptables and flush the chain - iptables -F "$FW_CHAIN" + # Clear repeat bit, so that it does not confuse IPsec or QoS + iptables -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + iptables -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" + fi } case "$1" in hooks/post-receive -- IPFire 2.x development tree

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

IPFire-SCM