This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via e850a61429b03cb77a9dc798e9f093500db09a87 (commit) via ef7d9d7657a3062dbba694728c4c8c6b05caa4c7 (commit) via d4ff0694c5fa0ec1798cbf849b896b3212a262f6 (commit) via 19357bc55e63cbde3bfae3f46bfaf5e655871763 (commit) via 3fa8300e706227db9f72b4b1349dde3e66399298 (commit) via 2469ca9fbab0a02502fc8086bc94517d7dcdcfaf (commit) via 49dd3e2946435b0f4dc77ca1a9d7b14d22edca8d (commit) via 855475580b153f05df8417d408193142a76950cf (commit) via 9deccd1cbab7e446a362b6410fb88b36b655a7cd (commit) via 11f7218f9cd16b32b2cb4477355e0e5057df6399 (commit) via 4f07c279a01d076d7f788ac8635194a8bb7c51cd (commit) via 761fadbdde805c8863a1f2a736408367a38f94da (commit) via aaf266ac2b1c230eeb1ba897c9674aaf28cbcf53 (commit) via ec18a1ecae60c6c3b6418e300aebd6a823844c8d (commit) via 56702858529ae1bf75e21da3ef00f136bacedfcd (commit) via 637eb94684cb0029ca76bb67dda8a8d2c15560ab (commit) via 0165dd40256fb1fe8474140cf54eb30cfb9fb7f3 (commit) via a09578f4eb954ea982926daab53c34492df05b43 (commit) from 80909fb6da64a911c900df50805fd5866685faf0 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit e850a61429b03cb77a9dc798e9f093500db09a87 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 18:27:49 2021 +0000
firewall: replace mark with --pol ipsec to exclude ipsec traffic from masquerade
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit ef7d9d7657a3062dbba694728c4c8c6b05caa4c7 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 18:25:11 2021 +0000
core161: add suricata changes
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit d4ff0694c5fa0ec1798cbf849b896b3212a262f6 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Oct 18 22:36:02 2021 +0200
squid-asnbl: update to 0.2.3
Upstream commit 500b9137d0a9dd31e40f0d1effdba0aafeb94ca4 changes the behaviour of this script in case of invalid or unresolvable FQDNs, preventing Squid from eventually shutting down due to too many BH's per time.
Since this allows (authenticated) users to run a DoS against the Squid instance, it is considered to be security relevant.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 19357bc55e63cbde3bfae3f46bfaf5e655871763 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:22 2021 +0000
firewall: Keep REPEAT bit when saving rest to CONNMARK
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 3fa8300e706227db9f72b4b1349dde3e66399298 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:21 2021 +0000
suricata: Introduce IPSBYPASS chain
NFQUEUE does not let the packet continue where it was processed, but inserts it back into iptables at the start. That is why we need an extra IPSBYPASS chain which has the following tasks:
* Make the BYPASS bit permanent for the entire connection * Clear the REPEAT bit
The latter is more of cosmetic nature so that we can identify packets that have come from suricata again and those which have bypassed the IPS straight away.
The IPS_* chain will now only be sent traffic to, when none of the two relevant bits has been set. Otherwise the packet has already been processed by suricata in the first pass or suricata has decided to bypass the connection.
This massively reduces load on the IPS which allows many common connections (TLS connections with downloads) to bypass the IPS bringing us back to line speed.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 2469ca9fbab0a02502fc8086bc94517d7dcdcfaf Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:20 2021 +0000
suricata: Store bypass flag in connmark and restore
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 49dd3e2946435b0f4dc77ca1a9d7b14d22edca8d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:19 2021 +0000
suricata: Add rule to skip IPS if a packet has the bypass bit set
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 855475580b153f05df8417d408193142a76950cf Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:18 2021 +0000
suricata: Always append rules instead of inserting them
This allows us to add rules in a consistent order like they are in the script.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9deccd1cbab7e446a362b6410fb88b36b655a7cd Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:17 2021 +0000
suricata: Enable bypassing unhandled streams
If a stream cannot be identified or if suricata has decided that it cannot do anything useful any more (e.g. TLS sessions after the handshake), we will allow suricata to bypass any following packets in that flow
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 11f7218f9cd16b32b2cb4477355e0e5057df6399 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:16 2021 +0000
suricata: Define bypass mark
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 4f07c279a01d076d7f788ac8635194a8bb7c51cd Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:15 2021 +0000
suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK
This should avoid confusion when we add more marks
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 761fadbdde805c8863a1f2a736408367a38f94da Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:14 2021 +0000
suricata: Set most significant bit as repeat marker
I have no idea why some odd value was chosen here, but one bit should be enough.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit aaf266ac2b1c230eeb1ba897c9674aaf28cbcf53 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 11:32:00 2021 +0000
core161: add pakfire.conf and pakfire/lib/functions.pl
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit ec18a1ecae60c6c3b6418e300aebd6a823844c8d Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Oct 14 19:01:49 2021 +0000
pakfire: Allow pinning Pakfire to one mirror server
This patch adds a new $mirror option to the configuration file which will cause Pakfire to only use this one to download any files.
This feature is disabled by default but useful for development.
Fixes: #12706 Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 56702858529ae1bf75e21da3ef00f136bacedfcd Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 11:27:58 2021 +0000
core161: add index.cgi and general-functions.pl
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 637eb94684cb0029ca76bb67dda8a8d2c15560ab Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Oct 14 13:26:30 2021 +0000
index.cgi: Remove left-over DNSSEC status warning
An error message is still shown although there is no option to disable DNSSEC at the moment. The old marker file could still be present on older machines.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0165dd40256fb1fe8474140cf54eb30cfb9fb7f3 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 11:23:12 2021 +0000
core161: add partresize
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a09578f4eb954ea982926daab53c34492df05b43 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Oct 14 12:00:31 2021 +0000
OCI: Enable serial console by default
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/general-functions.pl | 11 ----------- config/grub2/00_cloud | 8 ++++++++ config/rootfiles/core/161/filelists/files | 7 +++++++ config/suricata/suricata.yaml | 27 ++++++++++++++++++--------- html/cgi-bin/index.cgi | 5 ----- lfs/squid-asnbl | 4 ++-- src/initscripts/system/firewall | 25 +++++++++++++++++++------ src/initscripts/system/partresize | 6 +++--- src/initscripts/system/suricata | 15 +++------------ src/pakfire/lib/functions.pl | 12 ++++++++++++ src/pakfire/pakfire.conf | 3 +++ 11 files changed, 75 insertions(+), 48 deletions(-)
Difference in files: diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index de608e38b..f72d6588c 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -1238,17 +1238,6 @@ sub get_red_interface() { return $interface; }
-sub dnssec_status() { - my $path = "${General::swroot}/red/dnssec-status"; - - open(STATUS, $path) or return 0; - my $status = <STATUS>; - close(STATUS); - - chomp($status); - - return $status; -} sub number_cpu_cores() { open my $cpuinfo, "/proc/cpuinfo" or die "Can't open cpuinfo: $!\n"; my $cores = scalar (map /^processor/, <$cpuinfo>); diff --git a/config/grub2/00_cloud b/config/grub2/00_cloud index 121cb2fbd..1ef5053e5 100644 --- a/config/grub2/00_cloud +++ b/config/grub2/00_cloud @@ -23,8 +23,16 @@ cat <<EOF # Read the system manufacturer string from the BIOS smbios --type 1 --get-string 4 --set system_manufacturer
+# Read the chassis asset tag +smbios --type 3 --get-string 8 --set chassis_asset_tag + # Are we on Amazon EC2? if [ "$system_manufacturer" = "Amazon EC2" ]; then next_entry=gnulinux-${KERNEL_RELEASE}-serial-${boot_device_id} fi + +# Are we on Oracle Cloud? +if [ "$chassis_asset_tag" = "OracleCloud.com" ]; then + next_entry=gnulinux-${KERNEL_RELEASE}-serial-${boot_device_id} +fi EOF diff --git a/config/rootfiles/core/161/filelists/files b/config/rootfiles/core/161/filelists/files index adab4730d..b6a7fff92 100644 --- a/config/rootfiles/core/161/filelists/files +++ b/config/rootfiles/core/161/filelists/files @@ -1,4 +1,10 @@ etc/rc.d/init.d/firewall +etc/rc.d/init.d/partresize +etc/rc.d/init.d/suricata +etc/suricata/suricata.yaml +opt/pakfire/etc/pakfire.conf +opt/pakfire/lib/functions.pl +srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/qos.cgi usr/bin/2to3 @@ -7,4 +13,5 @@ usr/lib/firewall/rules.pl usr/libexec/ipsec/_updown usr/local/bin/hddshutdown usr/local/bin/makegraphs +var/ipfire/general-functions.pl var/ipfire/qos/bin/makeqosscripts.pl diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 4e9e39967..6f37671c8 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -346,10 +346,10 @@ logging:
nfq: mode: repeat - repeat-mark: 1879048192 - repeat-mask: 1879048192 -# bypass-mark: 1 -# bypass-mask: 1 + repeat-mark: 2147483648 + repeat-mask: 2147483648 + bypass-mark: 1073741824 + bypass-mask: 1073741824 # route-queue: 2 # batchcount: 20 fail-open: yes @@ -389,11 +389,19 @@ app-layer: # will be disabled by default, but enabled if rules require it. ja3-fingerprints: auto
- # Completely stop processing TLS/SSL session after the handshake - # completed. If bypass is enabled this will also trigger flow - # bypass. If disabled (the default), TLS/SSL session is still - # tracked for Heartbleed and other anomalies. - #no-reassemble: yes + # What to do when the encrypted communications start: + # - default: keep tracking TLS session, check for protocol anomalies, + # inspect tls_* keywords. Disables inspection of unmodified + # 'content' signatures. + # - bypass: stop processing this flow as much as possible. No further + # TLS parsing and inspection. Offload flow bypass to kernel + # or hardware if possible. + # - full: keep tracking and inspection as normal. Unmodified content + # keyword signatures are inspected as well. + # + # For best performance, select 'bypass'. + # + encryption-handling: bypass dcerpc: enabled: yes ftp: @@ -810,6 +818,7 @@ stream: prealloc-sessions: 4096 checksum-validation: yes # reject wrong csums inline: auto # auto will use inline mode in IPS mode, yes or no set it statically + bypass: yes # Bypass packets when stream.reassembly.depth is reached. reassembly: memcap: 256mb depth: 1mb # reassemble 1mb into a stream diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index fafbe0aa1..948fdde55 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -536,11 +536,6 @@ END &Header::closebox(); }
-my $dnssec_status = &General::dnssec_status(); -if ($dnssec_status eq "off") { - $warnmessage .= "<li>$Lang::tr{'dnssec disabled warning'}</li>"; -} - # Fireinfo if ( ! -e "/var/ipfire/main/send_profile") { $warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>"; diff --git a/lfs/squid-asnbl b/lfs/squid-asnbl index 3fc001768..9bb7ef198 100644 --- a/lfs/squid-asnbl +++ b/lfs/squid-asnbl @@ -25,7 +25,7 @@
include Config
-VER = 0.2.2 +VER = 0.2.3
THISAPP = squid-asnbl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -45,7 +45,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d62be77baa30b16d1c2362460123d6c0 +$(DL_FILE)_MD5 = cf0a269215f06f487d1ed488ea463d6b
install : $(TARGET)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ce428393d..776e70d6e 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -14,8 +14,10 @@ fi
NAT_MASK="0x0f000000"
-IPSEC_MARK="0x00800000" -IPSEC_MASK="${IPSEC_MARK}" +IPS_REPEAT_MARK="0x80000000" +IPS_REPEAT_MASK="0x80000000" +IPS_BYPASS_MARK="0x40000000" +IPS_BYPASS_MASK="0x40000000"
function iptables() { /sbin/iptables --wait "$@" @@ -41,6 +43,16 @@ iptables_init() { modprobe nf_log_ipv4 sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
+ # IPS Bypass Chain which stores the BYPASS bit in connection tracking + iptables -N IPSBYPASS + iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))" + + # Jump into bypass chain when the BYPASS bit is set + for chain in INPUT FORWARD OUTPUT; do + iptables -A "${chain}" -m mark \ + --mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS + done + # Empty LOG_DROP and LOG_REJECT chains iptables -N LOG_DROP iptables -A LOG_DROP -m limit --limit 10/second -j LOG @@ -147,9 +159,10 @@ iptables_init() { iptables -N IPS_INPUT iptables -N IPS_FORWARD iptables -N IPS_OUTPUT - iptables -A INPUT -j IPS_INPUT - iptables -A FORWARD -j IPS_FORWARD - iptables -A OUTPUT -j IPS_OUTPUT + + for chain in INPUT FORWARD OUTPUT; do + iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}" + done
# OpenVPN transfer network translation iptables -t nat -N OVPNNAT @@ -380,7 +393,7 @@ iptables_red_up() { fi
# Outgoing masquerading (don't masqerade IPsec) - iptables -t nat -A REDNAT -m mark --mark "${IPSEC_MARK}/${IPSEC_MASK}" -o "${IFACE}" -j RETURN + iptables -t nat -A REDNAT -m policy --pol ipsec --dir=out -o "${IFACE}" -j RETURN
if [ "${IFACE}" = "${GREEN_DEV}" ]; then iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN diff --git a/src/initscripts/system/partresize b/src/initscripts/system/partresize index 4fa1906d0..2206ca451 100644 --- a/src/initscripts/system/partresize +++ b/src/initscripts/system/partresize @@ -45,9 +45,9 @@ case "${1}" in esac fi
- # Enable the serial console on all systems on AWS EC2, Azure - # and Google Compute Platform - if running_on_ec2 || running_on_azure || running_on_gcp; then + # Enable the serial console on all systems on AWS EC2, Oracle Cloud, + # Azure and Google Compute Platform + if running_on_ec2 || running_on_oci || running_on_azure || running_on_gcp; then scon="on" fi
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata index 33633ddf9..13fcc7f34 100644 --- a/src/initscripts/system/suricata +++ b/src/initscripts/system/suricata @@ -34,10 +34,6 @@ network_zones=( red green blue orange ovpn ) # Array to store the network zones weather the IPS is enabled for. enabled_ips_zones=()
-# Mark and Mask options. -MARK="0x70000000" -MASK="0x70000000" - # PID file of suricata. PID_FILE="/var/run/suricata.pid"
@@ -137,19 +133,14 @@ function generate_fw_rules { # Loop through the array and create firewall rules. for enabled_ips_zone in "${enabled_ips_zones[@]}"; do # Create rules queue input and output related traffic and pass it to the IPS. - iptables -w -I "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS - iptables -w -I "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS + iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
# Create rules which are required to handle forwarded traffic. for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do - iptables -w -I "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS + iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS done done - - # Clear repeat bit, so that it does not confuse IPsec or QoS - iptables -w -A "${IPS_INPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" - iptables -w -A "${IPS_FORWARD_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" - iptables -w -A "${IPS_OUTPUT_CHAIN}" -j MARK --set-xmark "0x0/${MASK}" fi }
diff --git a/src/pakfire/lib/functions.pl b/src/pakfire/lib/functions.pl index f46c9acc1..4d9854a6f 100644 --- a/src/pakfire/lib/functions.pl +++ b/src/pakfire/lib/functions.pl @@ -30,6 +30,7 @@ use HTTP::Headers; use HTTP::Message; use HTTP::Request; use Net::Ping; +use URI;
use Switch;
@@ -297,6 +298,17 @@ sub valid_signature($) { }
sub selectmirror { + if (defined ${Conf::mirror}) { + my $uri = URI->new("${Conf::mirror}"); + + # Only accept HTTPS mirrors + if ($uri->scheme eq "https") { + return ("HTTPS", $uri->host, $uri->path . "/" . ${Conf::version}); + } else { + message("MIRROR ERROR: Unsupported mirror: " . ${Conf::mirror}); + } + } + ### Check if there is a current server list and read it. # If there is no list try to get one. my $count = 0; diff --git a/src/pakfire/pakfire.conf b/src/pakfire/pakfire.conf index 9930f3771..bc54dcff4 100644 --- a/src/pakfire/pakfire.conf +++ b/src/pakfire/pakfire.conf @@ -23,6 +23,9 @@ package Conf;
$mainserver = "pakfire.ipfire.org";
+# Only use this mirror +#$mirror = "https://mirror1.ipfire.org/pakfire2"; + $cachedir = "/opt/pakfire/cache"; $dbdir = "/opt/pakfire/db"; $coredir = "/opt/pakfire/db/core";
hooks/post-receive -- IPFire 2.x development tree