This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, kernel-5.15 has been created at 191347cc465f81898540e6e07fb6c610d87af372 (commit)
- Log ----------------------------------------------------------------- commit 191347cc465f81898540e6e07fb6c610d87af372 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Nov 4 08:04:20 2021 +0000
core161: add ovpnmain.cgi
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit cc79d2810fc81ddd1608803995ead2fe11276271 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Nov 3 19:18:55 2021 +0100
ovpnmain.cgi: Do not interpret $? as error code of move()
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9d418afb8ce566f28efa56f01f584ed9cdb633d5 Merge: 844f40bee f8dce3555 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 31 13:48:29 2021 +0000
Merge branch 'next'
commit f8dce3555a028b7f97f7b57c17d6491467d582fe Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Oct 30 18:06:36 2021 +0200
IO-Stringy: download from IPFire server
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0049737e26cd40ab1c87c9f6251113e2fb68caea Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Oct 30 14:54:53 2021 +0000
core161: remove dropped client175 addon
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 2d78849475f1c3ce33e10ae0890fe9187907b960 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Oct 29 19:11:34 2021 +0200
avahi: Install backup definition - bug#12714
- Addition of backup definition install into lfs file - Update of rootfile
Fixes: 12714 Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 71b06657f986715b23b7a5cfbdf1553d85a33eb7 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Oct 23 13:54:51 2021 +0200
backup definitions: housekeeping to remove orphaned definitions
- check_mk_agent, client175 & lcr are addons that have been removed so the backup definitions are no longer required. - dma is not a package but a core program and has its config backup requirements built into the core backup include file so the addon backup definition is not used or needed. - No issues found in the build after these files were removed.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 8ca80092c2bc11d436e9c686fb5eb22cde682837 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 29 21:58:32 2021 +0200
core161: disconnect before replace pppd
after replacing a running pppd connectd is failing until next boot so stop pppd before updating.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 869d9788f12e690ce11308b637a52f918fb98829 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 29 17:14:49 2021 +0200
core161: delete more orphaned shared obbject files
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit f625c4207e62747cbfe2fd09fd0cf0851b131749 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 29 13:55:43 2021 +0200
core161: reconnect only if ppp is used
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 635e22e0241ee187d473df8a4d09e1d58c465a29 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 29 12:02:24 2021 +0200
core161: fix typo in path
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 3c2b8c6cd99466b8e4d101b48a2d56e7296b3139 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 29 10:07:15 2021 +0200
gcc: enable parallel build
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 09b36b16c3ababba14e0942a2c45593f0d353bff Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 29 10:06:23 2021 +0200
core161: reconnect after firewall restart
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 967e2973b4c8f264ebf8e134edf362b4975c3b8c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 29 10:03:40 2021 +0200
kernel: armv6l rootfile update
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit edb856c4af5dd4db50f0a10db4807d99e91e03d4 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Oct 28 19:24:08 2021 +0200
core161: restart firewall to update IPSec nat exclude rule
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 4c19c5b6eccdcb6c6eb21184b0b6b6e98b965ebe Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Oct 28 19:23:00 2021 +0200
core161: qosctrl need full path to start
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 409b263f9f5136ebc5a368142b752205c34f5de9 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Oct 26 19:01:28 2021 +0200
Core Update 161: fix typo (stronswan != strongswan)
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 832490f063f81a54ecb470caaa3fab8c3f73c12e Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Oct 28 00:39:07 2021 +0200
kernel: update to 5.10.76
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a7b4f847119660fd58a0da2652d56d5ffeff5e69 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 25 16:59:08 2021 +0000
general-functions: remove comment that system_output also in speed.cgi
this functions was removed from speed.cgi by reading kernel netowrk statistics instead of parsing ip -s show ...
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 95539a589e51dc2b0793ae58c1cd35f5fe858320 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Oct 23 14:44:56 2021 +0200
Remove orphaned ddns patches
These are no longer necessary, since ddns 0.14 comes with both of them applied.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 642318cbaaea173d50315e8cbe3720ea1e79bb05 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Oct 23 18:49:01 2021 +0200
git: Update to version 2.33.1
- Update from 2.31.0 to 2.33.1 - Update rootfile - Changelog is too long to show here. The details can be found in the 2.31.1.txt, 2.32.0.txt, 2.33.0.txt and 2.33.1.txt files in the Documentation/RelNotes directory in the source tarball
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9d72f4b05932ef53f95b621ea9a40cfd7255cee7 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Oct 23 18:49:32 2021 +0200
htop: Update to version 3.1.1
- Update from 3.0.5 to 3.1.1 - Update of rootfile not required - Changelog is too long to include here. Full details can be found at https://github.com/htop-dev/htop/blob/main/ChangeLog
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit b88f6c476b45c173db54ce31d59dc42202c56e34 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 25 16:55:26 2021 +0000
core161: add curl
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit be52d700f160b1201d83fb942a0280f3f2d0f16a Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Sep 27 17:32:40 2021 +0200
curl: Update to version 7.79.1
- Update from 7.78.0 to 7.79.1 - Update of rootfile not required - Changelog Fixed in 7.79.1 - September 22 2021 Bugfixes: Curl_http2_setup: don't change connection data on repeat invokes curl_multi_fdset: make FD_SET() not operate on sockets out of range dist: provide lib/.checksrc in the tarball FAQ: add GOPHERS + curl works on data, not files hsts: CURLSTS_FAIL from hsts read callback should fail transfer hsts: handle unlimited expiry http: fix the broken >3 digit response code detection strerror: use sys_errlist instead of strerror on Windows test1184: disable tests/sshserver.pl: make it work with openssh-8.7p1 Fixed in 7.79.0 - September 15 2021 Changes: bearssl: support CURLOPT_CAINFO_BLOB http: consider cookies over localhost to be secure secure transport: support CURLINFO_CERTINFO Bugfixes: CVE-2021-22945: clear the leftovers pointer when sending succeeds CVE-2021-22946: do not ignore --ssl-reqd CVE-2021-22947: reject STARTTLS server response pipelining ares: use ares_getaddrinfo() asyn-ares.c: move all version number checks to the top auth: do not append zero-terminator to authorisation id in kerberos auth: properly handle byte order in kerberos security message auth: use sasl authzid option in kerberos auth: we do not support a security layer after kerberos authentication BINDINGS.md: update links to use https where available build: fix compiler warnings c-hyper: deal with Expect: 100-continue combined with POSTFIELDS c-hyper: fix header value passed to debug callback c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection c-hyper: initial step for 100-continue support c-hyper: initial support for "dumping" 1xx HTTP responses c-hyper: remove the hyper_executor_poll() loop from Curl_http CI/cirrus: reduce compile time with increased parallism CI: use GitHub Container Registry instead of Docker Hub cirrus: Add FreeBSD 13.0 job and disable sanitizer build cmake: avoid poll() on macOS cmake: sync CURL_DISABLE options codeql: fix error "Resource not accessible by integration" compressed.d: it's a request, not an order config.d: escape the backslash properly config.d: note that curlrc is used even when --config config: get rid of the unused HAVE_SIG_ATOMIC_T et. al. configure.ac: revert bad nghttp2 library detection improvements configure: error out if both ngtcp2 and quiche are specified configure: make --disable-hsts work configure: set classic mingw minimum OS version to XP configure: tweak nghttp2 library name fix connect: get local port + ip also when reusing connections connect: remove superfluous conditional curl-openssl.m4: check lib64 for the pkg-config file curl-openssl.m4: show correct output for OpenSSL v3 curl.1: mention "global" flags curl.1: provide examples for each option curl: add warning for ignored data after quoted form parameter curl: add warning for incompatible parameters usage curl: better error message when -O fails to get a good name curl: stop retry if Retry-After: is longer than allowed curl_easy_setopt.3: improve the string copy wording Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited curl_setup.h: sync values for HTTP_ONLY curl_url_get.3: clarify about path and query CURLMOPT_TIMERFUNCTION.3: remove misplaced "time" CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited CURLOPT_SSL_CTX_*.3: tidy up the example CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also docs/MQTT: update state of username/password support docs: remove experimental mentions from HSTS and MQTT docs: the security list is reached at security at curl.se now easy: use a custom implementation of wcsdup on Windows examples/*hiperfifo.c: fix calloc arguments to match function proto examples/cookie_interface: avoid printfing time_t directly examples/cookie_interface: fix scan-build printf warning examples/ephiperfifo.c: simplify signal handler FAQ: add two dev related questions getparameter: fix the --local-port number parser happy-eyeballs-timeout-ms.d: polish the wording hostip: Make Curl_ipv6works function independent of getaddrinfo http2: Curl_http2_setup needs to init stream data in all invokes http2: revert a change that broke upgrade to h2c http2: revert call the handle-closed function correctly on closed stream http: disallow >3-digit response codes http: ignore content-length if any transfer-encoding is used http_proxy: clear 'sending' when the outgoing request is sent http_proxy: fix the User-Agent inclusion in CONNECT http_proxy: fix user-agent and custom headers for CONNECT with hyper http_proxy: only wait for writable socket while sending request INTERNALS: bump c-ares requirement to 1.16.0 INTERNALS: c-ares has a new home: c-ares.org lib: don't use strerror() libcurl-errors.3: clarify two CURLUcode errors limit-rate.d: clarify base unit mailing lists: move from cool.haxx.se to lists.haxx.se mbedtls: avoid using a large buffer on the stack mbedTLS: initial 3.0.0 support mbedtls_threadlock: fix unused variable warning mksymbolsmanpage.pl: Fix showing symbol's last used version mksymbolsmanpage.pl: match symbols case insenitively multi: fix compiler warning with `CURL_DISABLE_WAKEUP` ngtcp2: compile with the latest ngtcp2 and nghttp3 ngtcp2: fix build with ngtcp2 and nghttp3 ngtcp2: remove the acked_crypto_offset struct field init ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read ngtcp2: reset the oustanding send buffer again when drained ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream ngtcp2: stop buffering crypto data ngtcp2: utilize crypto API functions to simplify openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA openssl: when creating a new context, there cannot be an old one opt-docs: make sure all man pages have examples opt-docs: verify man page sections + order opts docs: unify phrasing in NAME header output.d: add method to suppress response bodies page-header: add GOPHERS, simplify wording in the 1st para progress: fix a compile warning on some systems progress: make trspeed avoid floats runtests: add option -u to error on server unexpectedly alive schannel: Work around typo in classic mingw macro scripts: invoke interpreters through /usr/bin/env setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper strerror.h: remove the #include from files not using it symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version test1138: remove trailing space to make work with hyper test1173: check references to libcurl options test1280: CRLFify the response to please hyper test1565: fix windows build errors test365: verify response with chunked AND Content-Length headers tests/*server.pl: flush output before executing subprocess tests/*server.py: remove pidfile on server termination tests/runtests.pl: cleanup copy&paste mistakes and unused code tests/server/*.c: align handling of portfile argument and file tests: adjust the tftpd output to work with hyper mode tests: be explicit about using 'python3' instead of 'python' tests: enable test 1129 for hyper builds tests: make three tests pass until 2037 tool/tests: fix potential year 2038 issues tool_operate: Fix --fail-early with parallel transfers url: fix compiler warning in no-verbose builds urlapi.c:seturl: assert URL instead of using if-check vtls: fix typo in schannel_verify.c winbuild/README.md: clarify GEN_PDB option wolfssl: clean up wolfcrypt error queue write-out.d: clarify size_download/upload x509asn1: fix heap over-read when parsing x509 certificates
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c04ebdccee35ddac7cc483efb182982f7345052f Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 25 16:52:15 2021 +0000
core161: add strongswan changes to update.
this core also stops strongwan before extracting because the updown script is changed.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c4c756333578fc43d7f712cbc262fc3f3bf1fc52 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Oct 23 14:49:52 2021 +0200
strongSwan: update to 5.9.4
Release notes as per https://github.com/strongswan/strongswan/releases/tag/5.9.4:
Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990. Please refer to our blog for details. Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991. Please refer to our blog for details. Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure. AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs. Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2). Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631). Loading SSH public keys via vici has been improved (#467). Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory. Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557). The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0. libtpmtss is initialized in all programs and libraries that use it. Migrated testing scripts to Python 3. The testing environment uses images based on Debian bullseye by default (support for jessie was removed).
To my understanding, IPFire is not affected by CVE-2021-41990, as we do not support creation of IPsec connections using RSASSA-PSS (please correct me if we do :-). In contrast, CVE-2021-41991 affects IPFire installations indeed.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit aa60fd7b3e61aeb08c68b67f615f8c94e6545447 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 25 18:43:45 2021 +0200
strongswan: remove unneded -j RETURN rules
after removimg the mark rules this rules are useless because they should skip expensive policy matches that now are removed.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 98d78fa824fd30a9bc2b90f7d3831ff20c9997b4 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 25 15:46:07 2021 +0200
makeqosscript: fix typo in comment.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a38c882bfb59d5b359b22df3d97f3ed88f497d93 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 25 13:45:39 2021 +0200
strongswan: remove CONNMARK rules.
the marks are not used by firewall and QoS anymore.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a8dd6e98ba04b8dc0e7642beab16c9efeaee6e33 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 25 12:58:10 2021 +0200
speed.cgi: replave parsing of ip show output
latest ipfroute2 update change the output so this repkace it by reading /sys/class/net/*/statistics
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 36b00b8ed130601a9aab14036c81c2ea788aa000 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 25 11:42:16 2021 +0200
makeqosscript: replace marks b< ipt policy match for upsec
this is more reliable at not loose some connections.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 66bc17dcc16f465fed435f366a8ccf01c6e6d814 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 24 17:06:34 2021 +0200
iproute2: build after iptables to get ipt filters for tc
to proper filter IPSec im QoS without using mark or connmark i need ipt filters for tc which are only build if iptables are build prior iproute2.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 572249bbf385d09dad98d0359921f96220a87c9f Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 24 12:13:20 2021 +0000
core161: add iproute2
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 05b6dd44bef2f8a2cc4827533a6ff070a8852b8e Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Sep 7 13:03:22 2021 +0200
iproute2: Update version to 5.14.0
- Update from 5.13.0 to 5.14.0 - Update rootfile - Changelog Alexander Mikhalitsyn (2): ip route: ignore ENOENT during save if RT_TABLE_MAIN is being dumped libnetlink: check error handler is present before a call Andrea Claudi (9): tc: q_ets: drop dead code from argument parsing lib: bpf_legacy: avoid to pass invalid argument to close() dcb: fix return value on dcb_cmd_app_show dcb: fix memory leak tipc: bail out if algname is abnormally long tipc: bail out if key is abnormally long tc: htb: improve burst error messages lib: bpf_legacy: fix potential NULL-pointer dereference lib: bpf_glue: remove useless assignment Ariel Levkovich (2): tc: f_flower: Add option to match on related ct state tc: f_flower: Add missing ct_state flags to usage description Asbjørn Sloth Tønnesen (2): tc: pedit: parse_cmd: add flags argument tc: pedit: add decrement operation Christian Schürmann (1): man8/ip-tunnel.8: fix typo, 'encaplim' is not a valid option David Ahern (6): Update kernel headers Update kernel headers config.mk: Rerun configure when it is newer than config.mk Update kernel headers Update kernel headers Import wwan.h uapi file Dmytro Linkin (3): devlink: Add helper function to validate object handler devlink: Add port func rate support devlink: Add ISO/IEC switch Eric Dumazet (1): tc: fq: add horizon attributes Feng Zhou (1): lib/bpf: Fix btf_load error lead to enable debug log Gal Pressman (2): rdma: update uapi headers rdma: Add copy-on-fork to get sys command Gokul Sivakumar (3): bridge: reorder cmd line arg parsing to let "-c" detected as "color" option bridge: fdb: don't colorize the "dev" & "dst" keywords in "bridge -c fdb" man: bridge: fix the typo to change "-c[lor]" into "-c[olor]" in man page Guillaume Nault (1): utils: bump max args number to 512 for batch files Hangbin Liu (3): configure: add options ability configure: convert LIBBPF environment variables to command-line options ip/bond: add arp_validate filter support Heiko Thiery (1): lib/fs: fix issue when {name,open}_to_handle_at() is not implemented Hoang Le (1): tipc: call a sub-routine in separate socket Jacob Keller (1): devlink: fix infinite loop on flash update for drivers without status Jakub Kicinski (3): ip: align the name of the 'nohandler' stat ip: dynamically size columns when printing stats ss: fix fallback to procfs for raw sockets Jethro Beekman (1): ip: Add nodst option to macvlan type source Jianguo Wu (1): mptcp: make sure flag signal is set when add addr with port Lahav Schlesinger (1): ipmonitor: Fix recvmsg with ancillary data Martynas Pumputis (1): libbpf: fix attach of prog with multiple sections Neta Ostrovsky (3): rdma: Update uapi headers rdma: Add context resource tracking information rdma: Add SRQ resource tracking information Paolo Lungaroni (2): seg6: add counters support for SRv6 Behaviors seg6: add support for SRv6 End.DT46 Behavior Parav Pandit (2): devlink: Add optional controller user input devlink: Show port state values in man page and in the help command Peilin Ye (1): tc/skbmod: Remove misinformation about the swap action Phil Sutter (1): tc: u32: Fix key folding in sample option Roi Dayan (2): police: Add support for json output police: Fix normal output back to what it was Sergey Ryazanov (2): iplink: add support for parent device iplink: support for WWAN devices Stephen Hemminger (6): lib: remove blank line at eof uapi: update kernel headers from 5.14-rc1 libnetlink: cosmetic changes uapi: headers update uapi: update neighbour.h v5.14.0 Tyson Moore (1): tc-cake: update docs to include LE diffserv
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 10941827dbf9dd415a3da8864b09098517e5aef4 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Oct 23 08:01:51 2021 +0200
Core Update 161: Delete shared object files leftover from pppd 2.4.8
Rolled forward from commit 488e29e033097eadabd152e97022b71c21e6a414.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 01141196f6789e14c9d57e673cfeac63b9e348f5 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 22 16:18:46 2021 +0000
core161: ship azure-setup
with core158 was a bug fixed that local hyperV installations wait to long for the metadata service for azure but it was not shipped to existing installations.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 80a1f805912314e77cc4ed95d2a37069f4795785 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 22 16:16:32 2021 +0000
core161: add speed.cgi
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 110d4c81060c6663cdb562ee10afc7626c2d489b Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 22 10:05:32 2021 +0200
speed.cgi: reduce system load by copying two general-functions.
include general-functions.pl load and initialize many subfunctions that are not needed by speed.cgi which was executed very often. So this reduce the system load significant if webif was open in browser and ajax-speed display enabled.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 6befc952cc9f71d314f696dc2621120d705e8220 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Oct 22 15:37:27 2021 +0200
minidlna: Add backup capability - bug#12710
- Backup definition missing - created ro backup config file - Update of rootfile - Addition of backup definition install into lfs file - Addition of restore and backup statements into install.sh and uninstall.sh pak scripts
Fixes: 12710 Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit ada4f4cc99efe7229e465bb86c51bd60c4abf64d Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 22 16:11:35 2021 +0000
core161: add gd changes
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 5f965f36f0bf8f4ae6f6341d9b59ce306ed0883b Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Sep 23 14:24:51 2021 +0200
GD-Graph: Update to version 1.54
- Update from 1.4308 (2006) to 1.54 (2016 - latest version) - Update of rootfile not required - Changelog 1.54 21 Nov 2016 - Disable two Y axes alignment when any y[12]_{min,max}_value is defined RT#62665 1.53 08 Jul 2016 - Fix 'Illegal division by zero' when x_min_value and x_max_value are defined and x_tick_number set to 'auto' RT#73185 Thanks to Bob Rogers, https://github.com/ruz/GDGraph/pull/12 1.52 28 Jan 2016 - y1_min_range and y2_min_range instead of min_range_1 and min_range_2, niether were documented before. - Update documentation in regards to all *_min_range options available. 1.51 27 Dec 2015 - fix shadows rendering on cumulative bar charts thanks to https://github.com/Tordek see https://github.com/ruz/GDGraph/pull/4 1.50 27 Dec 2015 - run samples as part of test suite to make sure no sample crashes thanks to https://github.com/tynovsky - properly define test requirements using newer MakeMaker 1.49 11 Mar 2015 - fix to Z-axis color filling in 3D pie charts (Debian Bug #489184) - bump ExtUtils::MakeMaker dependency - tiny improvement in the code of the samples 1.48 02 Aug 2013 - no code changes, just release enginering cleanup - adjust MANIFEST.SKIP file so MANIFEST can be generated once again - ship sample58.pl file, so `make samples` stop failing - mention the current and past maintainers in META files as authors - use newer CPAN::Meta and ExtUtils::MakeMaker, older versions generated META files without runtime prerequisites 1.47 28 Jun 2013 - experimental hide_overlapping_values option for bar graphs 1.46 26 Jun 2013 - This release is based on old work by Martien that was sitting in his repo - x_last_label_skip option - new samples and tweaks to old 1.45 21 Jun 2013 - read DISTRIBUTION STATUS in perldoc GD::Graph - no code changes since 1.44 1.44 25 Apr 2007 - Patched bugs 21610, 20792, 20802, 23755 and 22932 - Updated POD to clarify current maintenance status, and encourage bug reporting via RT (and to point out some external help resources)
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 6cdc5164ff8365896fcd1ddb1fff6f5716b92a9a Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Sep 23 14:24:50 2021 +0200
ExtUtils-PkgConfig: Build of this required for latest version of perl-GD
- ExtUtils-PkgConfig is required when building perl-GD - lfs and rootfile created - All rootfile entries commented out as only required for building of perl-GD - added to make.sh file just before perl-GD
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0aca0b419f827b33904306e2cce9f7ec2313daf6 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Sep 23 14:24:49 2021 +0200
perl-GD: Update to version 2.73
- Update from 2.35 (2006) to 2.73 (2020) - Update of rootfile - Updated version of perl-GD required ExtUtils-PkgConfig for build. Seperate patch to build that is part of this series - Changelog 2.73 * allow --options override the libgd options. Not recommended. See GH #33 and RT #130045 2.72 * fix CVE 2019-6977 colorMatch for older unpatched libgd versions. This is a severe security problem, an exploitable heap-overflow. See https://nvd.nist.gov/vuln/detail/CVE-2019-6977 2.71 * skip Test::Fork on freebsd (GH #25) 2.70 * fixes for hardened CCFLAGS with -Werror (RT #128167) 2.69 * little spelling error, GH #29 Xavier Guimard 2.68 * fix GD::Polygon->clear, RT #124463 Michael Cain 2.67 * fix thread-safety for GD::Simple %COLORS (#26 melak) * fix arc start-angle docs, RT #123277 Andrew G Gray * improve setBrush docs, RT #123194 Andrew G Gray * improve StringFT docs, RT #123193 * replace MacOSX by darwin, and not by Mac OS X/macOS as suggested in PR #24 * add GD::Image->_file method as suggested in RT #60488 by Kevin Ryde, also the helper GD::supportsFileType 2.66 * throw proper error on newFrom* with not-existing file * add t/transp.t from RT #40525 * Improve RT #54366 multiple gd.h warning * better doc for GD::Simple->arc * fix ANIMGIF with libgd 2.3.0-dev 2.65 * fix --gdlib_config_path to accept an argument (fperrad) 2.64 * Update doc for LIBGD_VERSION() * Fix 5.6.2, which does not have float in its typemap 2.63 * renamed VERSION() to LIBGD_VERSION(), RT #121307. It was treated magically by "use GD 2.18" 2.62 * fixed wrong <5.14 code generated with ExtUtils::Constants RT #121297. Don't generate const-xs.inc, only when missing. * add -liconv on hpux also (our pkgconfig parser cannot handle it) 2.61 * add CONFIGURE_REQUIRES META * add --gdlib_config_path * add Image Filters: scatter, pixelate, negate, grayscale, brightness, contrast, color, selectiveBlur, edgeDetectQuick, gaussianBlur, emboss, meanRemoval, smooth, copyGaussianBlurred * add palette methods: createPaletteFromTrueColor, neuQuant (but discouraged), colorMatch. * add interpolation methods: copyScale, copyRotateInterpolated, interpolationMethod. * add double GD::VERSION * add all gd.h constants 2.60 * add missing methods newFromWBMP, newFromXbm, (RT #68784) and some missing docs * Add --lib_fontconfig_path, --fcgi options * rewrote most of the XS code * cleanup Makefile.PL #20 2.59 * error on failing libgd calls * fix colorClosestAlpha, colorAllocateAlpha * add missing documentation 2.58 * fix VERSION_STRING for 2.0.x * honor --lib_gd_path specific gdlib-config * Loosen the comparison tests with GDIMAGETYPE ne gd2 * Improve gdlib-config parsing (PR #17), esp. with 2.0.34 2.57 * fix Jpeg magic number detection RT #26146 * fix RGB - HSV roundtrips: RT #120572 by J2N-FORGET * fix -print-search-dirs errors RT #106265 * co-maint to rurban * add hv_fetchs, CI smokers * add GD::VERSION_STRING api 2.56_03 * add alpha method * improve option handling * fix meta data 2.56_02 * fix feature extraction >= 2.2 [RT #119459] 2.56_01 * rm Build.PL, fix permissions, fix for missing gdlib-config 2.56 * Fix Makefile.PL so that it works again. 2.55 * Great simplification of regression framework ought to fix make test problems. * Replace ExtUtils::MakeMaker script with Module::Build system (just in time for Module::Build to be deprecated). * Remove archaic qd.pl (for creating QuickDraw picts) from distribution. 2.54 Patch from yurly@unet.net to fix image corruption in rotate180 when image height is odd. 2.53 Points to Gabor Szabo's GD::Simple tutorial, and fix link to repository. 2.52 Fix regression tests to run on Ubuntu 12.04 64bit. 2.51 Fix misleading warning message about location of gd.h file. 2.50 Fix gdUseFontConfig so that it can be called as a class method. 2.49 Add GitHub information to README. 2.48 Fix compile crash on windows and strawberry (https://rt.cpan.org/Public/Bug/Display.html?id=67990). 2.47 Fix compilation on older perl's without the Newxz macros. 2.46 Added a basic "use" test for GD::Simple 2.45 Clarified the GD license. There is now a formal LICENSE file in the package. 2.44 GD::Group now installed properly. Quenched compiler warning caused by Newxs() calls. 2.43 Added "transparent" color to GD::Simple. Fixed Makefile so that GD/Image.pm depends both on GD/Image.pm.PLS and .config.cache 2.42 Fixed magic number detection to autodetect certain missed jpeg files (thanks to Mike Walker) 2.41 Added backend support for grouping features in GD::SVG module. 2.40 ** Do not use - contains a bug ** 2.39 Makefile.PL will refuse to run if the proper version of libgd is unavailable. 2.38 Fixed bizarre warning about /usr/include/gd.h != /usr/include/gd.h. 2.37 GD/Image.pm did not bring in croak() properly, meaning that incorrect error messages are printed out when any of the newFromXXX() calls are made. 2.36 Instructions on using gdAntiAliased with palette images.
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 5f71d0a6bf369719e2456c2ffe34e4ac2b103e94 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Sep 23 14:24:48 2021 +0200
gd: Update to version 2.3.3
- Update from 2.0.33 (2006) to 2.3.3 (Sep 2021) - Updating gd requires GD-Graph and perl-GD to be updated otherwise the png graphs didn't work so all required changes are part of this patch series - Update rootfile - Dependencies checked from library so bump. Nothing found. - Changelog is too large to include here. For full details see https://github.com/libgd/libgd/releases
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 726891607b32908e8f757d941b5202387c90ca89 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 22 16:00:49 2021 +0000
core161: add backup exclude
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit d2c2025b3d0271d3afdccc43b550a07b59480c94 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed May 26 12:43:01 2021 +0200
backup/exclude: unbound is missing hosts.conf include after restoring a backup of an older version
- Added unbound.conf to backup/exclude list to fix bug #12441
Fixes: #12441 Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit bca0fb81476b3ca5b7352435e38a06a7dd1332b0 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 22 15:56:53 2021 +0000
core161: add ppp changes
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 52764dbe7f6439045040ab35719953cf178063b9 Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jul 7 21:49:35 2021 +0200
Tell pppd not to ask for IPv6 addresses during dial-up
pppd 2.4.9 supports IPv6 and asks for an IPv6 configuration by default. Setting the received prefix in the kernel will never work, however, as the rest of IPFire 2.x does not support IPv6.
pppd notices the ISP about this, and at least Otenet (GR) and British Telecom (several countries) decide to close a dial-up connection then. German DTAG seems to ignore such errors silently.
This patch adds an option to the pppd call to prevent asking for an IPv6 configuration, hence avoiding this errors.
To apply this patch, it is necessary to ship ppp 2.4.9 again. Since I have no access to a testing machine behind an ISP supporting IPv6, this patch unfortunately is untested.
Fixes: #12651
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit aa45d923ebc396fdbe4a95db3d54457bd55fd20e Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jul 7 21:49:11 2021 +0200
Revert "Revert "ppp: update to 2.4.9""
This reverts commit 2d6e633d7f20bd94cbc36880049d2599e93bdaf3.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit d6f10036654c1f0a6457fd5a67e144f64e7280e5 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Sep 5 22:45:05 2021 +0200
cups-filters: Update to version 1.28.10
- Update from 1.28.9 to 1.28 10 - Update rootfile - Changelog CHANGES IN V1.28.10 - Sample PPDs: Add borderless page size definitions to Generic PDF Printer, HP Color LaserJet CM3530 MFP PDF, and Ricoh PDF Printer PPD files. - Sample PPDs: From the PDF PPD files removed the unneeded "*cupsFilters2: ..." line. For CUPS it does not make any difference. - libcupsfilters: Fixed pdftopdf filter to correctly support page ranges without upper limit, like "10-" (Pull request #399). - libcupsfilters: Use wildcard tag (IPP_TAG_ZERO) search for "media-type" and "media-type-supported" in the PPD generator (Pull request #398). - implicitclass, parallel: Added missing newlines at error messages. - libfontembed: Removed unneeded fontembed/main.c and ttfread executable. Eliminates the dependency on DejaVuSans.ttf (Issue #386). - gstoraster: Refactor the filter a little to clarify handling of page counts and set job-impressions for TotalPageCount in PWG-Raster header (Pull request #394). - cups-browsed: Make NotifLeaseDuration configurable and renew after half the lease duration not 60 sec before end. The early renewal improves reliability on busy systems a lot. For easier development and debugging short durations from 300 sec on can get selected (Pull request #378).
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 64aa254af13f6164e8c441f1ed43b838580064cd Author: Matthias Fischer matthias.fischer@ipfire.org Date: Mon Sep 20 17:08:18 2021 +0200
monit 5.29.0: Bump forgotten PAK_VER
Thanks Adolf! ;-)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit e01dd97b5c08f90249894e9b0ef7e29543a057b7 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Sep 18 16:11:10 2021 +0200
monit: Update to 5.29.0
For details see: https://mmonit.com/monit/changes/
New: Issue #715: The PostgreSQL protocol test has been improved and now supports authentication with username, password and database when testing connection. Example:
if failed port 5432 protocol pgsql username "username" password "12345" database "test" then alert
Previous Monit versions used hardcoded credentials when testing connection to postgresql (user=root and database=root). This could trigger thousands of messages like this in the postgresql log:
root@root FATAL: password authentication failed for user "root" root@root DETAIL: Role "root" does not exist.
Note: Monit will continue to use the hardcoded credentials (for backward compatibility) unless username and password are set. New: Issue #973: You can now test program output using a regular expression. Syntax:
IF CONTENT [!]= <regex> THEN action
Example:
check program disk0_smart with path "/usr/sbin/nvme smart-log /dev/nvme0" if content != "critical_warning[ ]+: 0" then alert
New: Issue #974: Monit CLI: Added support for the -g (group) option to the report command. Example:
monit -g database report
Fixed: Issue #991 (Monit 5.28.1 regression): MacOS: Monit didn't compile on MacOS 10.13 or older. Thanks to Lutz Mader.
Fixed: Issue #994 (Monit 5.28.1 regression): The check program statement with every did not work properly.
Fixed: Issue #995: Monit start delay was vulnerable to time jumps when Monit is waiting for the delay to pass. Thanks to Daniel Crowe.
Fixed: Issue #975: Monit CLI: Monit did not report a warning if -s, -p, -l, -g or -c command-line options were specified multiple times and silently used the last value only. Monit will generate a warning now.
Fixed: Issue #972: Monit GUI: The log view had no size limit when reading the Monit log file and could block the browser if the log file was large.
Fixed: Issue #955: If more than one every statement is used in a check-service context only the last value is (silently) used. We now report a warning in this case.
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 448649ae645c285d04294773fc60ea1510cfe029 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Sep 28 23:21:16 2021 +0200
shairport-sync: Update to version 3.3.8
- Update from 3.3.7 to 3.3.8 - Update of rootfile not required - Changelog Version 3.3.8 **Enhancements** * Documentation for the MQTT interface. Many thanks to [minix1234](https://github.com/minix1234)! **Bug Fixes** * Fix a bug in the `alsa` back end. In the interval between checking that the alsa device handle was non-`NULL` and actually using it, the handle could be set to `NULL`. The interval between check and usage is now protected. * Fix a bug in the `alsa` precision timing code. Thanks to [durwin99](https://github.com/durwin99), [Nicolas Da Mutten](https://github.com/cleverer), [mistakenideas](https://github.com/mistakenideas), [Ben Willmore](https://github.com/ben-willmore) and [giggywithit](https://github.com/giggywithit) for the [report](https://github.com/mikebrady/shairport-sync/issues/1158). * Fix a bug that caused Shairport Sync to hang, but not actually crash, if an `on-...` script failed. * Fix a crash that occurred if metadata support is enabled during compilation but turned off in the configuration file. Thanks to [Tim Curtis](https://github.com/moodeaudio) for the report. * Fix a crash that occurred playing from AirPower on Android. Thanks to [Ircama](https://github.com/Ircama) for the report. * Fix the configure.ac file so that `--without-<feature>` configuration options are not interpreted as `--with-<feature>` options instead! Thanks to [David Racine](https://github.com/bassdr) for the report.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 725d6a49169d779efe2493478f9c4a7c2e9b8f45 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 22 10:45:26 2021 +0000
core161: add logwatch
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 1c71ff6b2ccde8383529ed26937e1cd21f4cce08 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Oct 6 15:48:35 2021 +0200
logwatch: mdadm status missing - Fix for Bug 12080
- Addition of mdadm module to logwatch - Addition of logwatch to sudoers list to run mdadm commands - patch to change logwatch mdadm.conf to allow scan for raid drives, change mdadm script to run mdadm scan commands with sudo, allow clean but degraded drives to be listed in the output.
Fixes: 12080 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 4ee445ce44e801c5746e05f06ffa7d05932fdee7 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Oct 20 22:28:43 2021 +0200
ghostscript: Update to version 9.55.0
- Update from 9.54 to 9.55.0 - Update rootfile - Changelog Version 9.55.0 (2021-09-27) Highlights in this release include: This release includes the fix for the %pipe% security issue (CVE-2021-3781). New PDF Interpreter: This is an entirely new implementation written in C (rather than PostScript, as before). For a full discussion of this change and reasons for it see: Changes Coming to the PDF Interpreter. In this (9.55.0) release, the new PDF interpreter is disabled by default in Ghostscript, but can be used by specifying -dNEWPDF. We hope to make it the default in 9.56.0, and fully deprecate the PostScript implementation shortly after that (depending on the feedback we get). This also allows us to offer a new executable (gpdf, or gpdfwin??.exe on Windows) which is purely for PDF input. For this release, those new binaries are not included in the "install" make targets, nor in the Windows installers (they will be from 9.56.0 onwards). We would ask that as many users as possible take the opportunity to test with the new PDF implementation (i.e. using -dNEWPDF on your gs command line), and discuss any problems with us, before the new implementation becomes the default. The pdfwrite device now supports "passthrough" for JPX/JPG2000 data images (as well as the already supported JPEG/DCT Encoded). That means that if no rescaling or color conversion of the image data is required, the encoded/compressed image data from the input file will be written unchanged to the output, preventing potential image degradation caused by decompressing and recompressing. The Ghostscript/GhostPDL demo apps for C, C#, Java and Python have all had improvements and the C#/Java/Python language bindings have now been documented, see Ghostscript Language Bindings The Zugferd compliant PDF generating definitions (lib/zugferd.ps) have been updated and expanded to support the current version (2.1.1) of the Zugferd spec, and optionally different versions of the specification. The PCL/m output devices now support Duplex/Tumble. The internal support for "n-up" style simple imposition (introduced in 9.54.0) has been extended and improved for better support across all input formats. Ghostscript now supports object specific halftone - for example, different halftones can be specified for text and images, reflecting the differing needs of rendering those two types of object. Our efforts in code hygiene and maintainability continue. The usual round of bug fixes, compatibility changes, and incremental improvements. (9.53.0) We have added the capability to build with the Tesseract OCR engine. In such a build, new devices are available (pdfocr8/pdfocr24/pdfocr32) which render the output file to an image, OCR that image, and output the image "wrapped" up as a PDF file, with the OCR generated text information included as "invisible" text (in PDF terms, text rendering mode 3). Mainly due to time constraints, we only support including Tesseract from source included in our release packages, and not linking to Tesseract/Leptonica shared libraries. Whether we add this capability will be largely dependent on community demand for the feature. See Enabling OCR for more details. For a list of open issues, or to report problems, please visit bugs.ghostscript.com. Incompatible changes (9.55.0) Changes to the device API. This will affect developers and maintainers of Ghostscript devices. Firstly, and most importantly, the way device-specific "procs" are specified has been rewritten to make it (we think!) clearer and less confusing. See The Interface between Ghostscript and Device Drivers and The Great Device Rework Of 2021 for more details. (9.55.0) The command line options -sGraphicsICCProfile=___, -dGraphicsIntent=#, -dGraphicsBlackPt=#, -dGraphicsKPreserve=# have been changed to -sVectorICCProfile=___, -dVectorIntent=#, -dVectorBlackPt=#, -dVectorKPreserve=#. From 9.55.0 onwards, in recognition of how unwieldy very large HTML files can become (History9.html had reached 8.1Mb!), we intend to only include the summary highlights (above). For anyone wanting the full details of the changes in a release, we ask them to look at the history in our public git repository: ghostpdl-9.55.0 log. If this change does not draw negative feedback, History?.htm file(s) will be removed from the release archives.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0df914ef30b67a45f59ff8d02cddd76245d64953 Author: Stéphane Pautrel steph78630@gmail.com Date: Wed Oct 20 09:21:36 2021 +0000
lang: Update French translation
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9a93f07dae62990610d0b7168e83767e907803e4 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Oct 20 09:21:35 2021 +0000
Run "./make.sh lang"
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit dbd455ef936277aae9cf4d7d7294f0ceca495b84 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Oct 20 17:46:37 2021 +0000
make.sh: Rewrite uploadsrc with rsync
Instead of having a very dodgy diff of filelists, this rsync call does everything automatically and only requires authentication once.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 65710b528a73425a86b286c982130457f3a7d7f4 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Oct 8 15:43:49 2021 +0200
pcengines-apu-firmware: Update to version 4.14.0.4
- Update from 4.14.0.2 to 4.14.0.4 - Update of rootfile - Changelog v4.14.0.4 Release date: 2021-09-17 Changed: Rebased with official coreboot repository commit d9f5d90 Enabled EHCI controller by default on apu3-apu6 platforms Updated sortbootorder to v4.6.22 Added: Safeguard against setting watchdog timeout too low Known issues: apuled driver doesn't work in FreeBSD. Check the GPIOs document for workaround. Some PCIe cards are not detected on certain OSes and/or in certain mPCIe slots. Check the mPCIe modules document for solution/workaround. Booting with 2 USB 3.x sticks plugged in apu4 sometimes results in detecting only 1 stick Certain USB 3.x sticks happen to not appear in boot menu Booting Xen is unstable v4.14.0.3 Release date: 2021-08-06 Changed: Rebased with official coreboot repository commit c049c80
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit f85e3493ac71b05d9c5499d8b08b4aaa87c548f5 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 22 10:23:41 2021 +0000
core161: add ca-certificates
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 82c53ef9df7eb0ab75d8d5be42206f14e2b703f1 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Sep 25 11:41:29 2021 +0200
update ca-certificates CA bundle
Update the CA certificates list to what Mozilla NSS ships currently.
The original file can be retrieved from: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu...
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 76f36a621d1ec83b3a998c600b7bb92f40a88cf0 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Sep 25 09:09:00 2021 +0200
Tor: Bump package version
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 91aa257ed732cfa881740310d659db7554bece3d Author: Peter Müller peter.mueller@ipfire.org Date: Sat Sep 25 09:08:42 2021 +0200
Tor: Do not try to support IPv6 for Directory and OR ports
We currently don't have IPv6 in vanilla IPFire 2.x installations, hence there is no sense in letting Tor finding out IPv6 connectivity.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit fb4e1d53a0f079a82717203d0ff7eeea7d0c6162 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Sep 25 09:08:22 2021 +0200
Tor: Use crypto hardware acceleration if available
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0b6a2e761bc14d90725beda5b31f1637a599d163 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Sep 25 09:07:58 2021 +0200
Tor: Enable syscall sandbox
This makes post-exploitation activities harder, in case the local Tor instance has been compromised. It is worth noticing that Tor won't respond to a "GETINFO address" command on the control port if sandboxed, but our CGI does not make use of it, and neither is any legitimate service on IPFire doing so.
Tested on a small middle relay running on an IPFire machine.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0e0c1a8aec13c626b905e97531a2f3f1b5d31e9b Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Sep 11 12:57:09 2021 +0200
krb5: Update to version 1.19.2
- Update from 1.19.1 to 1.19.2 - Update of rootfile not required - Changelog Major changes in 1.19.2 (2021-07-22) This is a bug fix release. * Fix a denial of service attack against the KDC encrypted challenge code [CVE-2021-36222]. * Fix a memory leak when gss_inquire_cred() is called without a credential handle. krb5-1.19.2 changes by ticket ID 8989 Fix typo in enctypes.rst 8992 Avoid rand() in aes-gen test program 9005 Fix argument type errors on Windows 9006 doc build fails with Sphinx 4.0.2 9007 Fix KDC null deref on bad encrypted challenge 9014 Using locking in MEMORY krb5_cc_get_principal() 9015 Fix use-after-free during krad remote_shutdown() 9016 Memory leak in krb5_gss_inquire_cred
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 4bd07ee400b1c39e4efec803567efc024147674a Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Sep 11 12:56:48 2021 +0200
7zip: Update to version 17.04
- Update from 17.03 to 17.04 - Update rootfile - Changelog Version 17.04 - add lzip decompress - update zstd 1.4.9
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 8c943731b14e100e2c55f600e110e28e4040b528 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 22 10:16:23 2021 +0000
core161: add exfatprogs
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 574690dc0015447b5db788ab08190790e0c22d7b Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Sep 9 13:53:30 2021 +0200
exfatprogs: Provide package to work with exfat formats
- Create lfs and rootfile - Add exfatprogs to make.sh - exfat is supported as a native kernel module since kernel 5.7 - This package requires CONFIG_EXFAT_FS=m to be set for the kernel module for each architecture that will be supported. Currently that is only i586
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit eb8dcf245fc8fa1c40f5248863dd4a003f68e35e Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 22 10:14:04 2021 +0000
core161: add dosfstools
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 923cf5358ca02c25bb57efb39fa5d00740c86364 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Sep 8 23:21:14 2021 +0200
dosfstools: Update to version 4.2
- Update from 3.0.9 (2013) to 4.2 (2021) - Update rootfile - Program names changed in version 2.0.18 dosfslabel became fatlabel dosfsck became fsck.fat and mkdosfs became mkfs.fat - Added --enable-compat-symlinks to ./configure command to maintain original names as symlinks
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 2e82a4002daac145ad2d46978667994728e2dcf0 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Oct 21 04:39:52 2021 +0200
kernel: update to 5.10.75
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 20977f0a83e41d1128570f3d88d5c861200e4094 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 18:36:32 2021 +0000
core161: generate new qos.sh
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a3c9708117a60e6e49ba4bd828d3f68d0746e54d Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 18:35:01 2021 +0000
core161: add pakfire.cgi
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 7f7f546e4ae25d75738d6c326149476d7def615a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Oct 18 21:09:58 2021 +0200
pakfire.cgi: Implement logic to lock the page until pakfire has been fully launched.
When performing any action which requires pakfire, the page gets locked with an message informing the user that pakfire is working. The page will be reloaded when pakfire has been launched and is doing the requested operation - showing the well known log output. This also happens when pakfire has been launched via any kind of terminal or SSH session and the CGI gets accessed.
Internally before pakfire gets started a variable called page_lock will be set to lock the page. An while loop will keep the page locked until pakfire is launched fully and has written it's lock_file.
This approach will prevent us from any kind of required time intervall or race conditions.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit e850a61429b03cb77a9dc798e9f093500db09a87 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 18:27:49 2021 +0000
firewall: replace mark with --pol ipsec to exclude ipsec traffic from masquerade
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit ef7d9d7657a3062dbba694728c4c8c6b05caa4c7 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 18:25:11 2021 +0000
core161: add suricata changes
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit d4ff0694c5fa0ec1798cbf849b896b3212a262f6 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Oct 18 22:36:02 2021 +0200
squid-asnbl: update to 0.2.3
Upstream commit 500b9137d0a9dd31e40f0d1effdba0aafeb94ca4 changes the behaviour of this script in case of invalid or unresolvable FQDNs, preventing Squid from eventually shutting down due to too many BH's per time.
Since this allows (authenticated) users to run a DoS against the Squid instance, it is considered to be security relevant.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 19357bc55e63cbde3bfae3f46bfaf5e655871763 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:22 2021 +0000
firewall: Keep REPEAT bit when saving rest to CONNMARK
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 3fa8300e706227db9f72b4b1349dde3e66399298 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:21 2021 +0000
suricata: Introduce IPSBYPASS chain
NFQUEUE does not let the packet continue where it was processed, but inserts it back into iptables at the start. That is why we need an extra IPSBYPASS chain which has the following tasks:
* Make the BYPASS bit permanent for the entire connection * Clear the REPEAT bit
The latter is more of cosmetic nature so that we can identify packets that have come from suricata again and those which have bypassed the IPS straight away.
The IPS_* chain will now only be sent traffic to, when none of the two relevant bits has been set. Otherwise the packet has already been processed by suricata in the first pass or suricata has decided to bypass the connection.
This massively reduces load on the IPS which allows many common connections (TLS connections with downloads) to bypass the IPS bringing us back to line speed.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 2469ca9fbab0a02502fc8086bc94517d7dcdcfaf Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:20 2021 +0000
suricata: Store bypass flag in connmark and restore
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 49dd3e2946435b0f4dc77ca1a9d7b14d22edca8d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:19 2021 +0000
suricata: Add rule to skip IPS if a packet has the bypass bit set
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 855475580b153f05df8417d408193142a76950cf Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:18 2021 +0000
suricata: Always append rules instead of inserting them
This allows us to add rules in a consistent order like they are in the script.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9deccd1cbab7e446a362b6410fb88b36b655a7cd Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:17 2021 +0000
suricata: Enable bypassing unhandled streams
If a stream cannot be identified or if suricata has decided that it cannot do anything useful any more (e.g. TLS sessions after the handshake), we will allow suricata to bypass any following packets in that flow
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 11f7218f9cd16b32b2cb4477355e0e5057df6399 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:16 2021 +0000
suricata: Define bypass mark
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 4f07c279a01d076d7f788ac8635194a8bb7c51cd Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:15 2021 +0000
suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK
This should avoid confusion when we add more marks
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 761fadbdde805c8863a1f2a736408367a38f94da Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 18 10:10:14 2021 +0000
suricata: Set most significant bit as repeat marker
I have no idea why some odd value was chosen here, but one bit should be enough.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Tested-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit aaf266ac2b1c230eeb1ba897c9674aaf28cbcf53 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 11:32:00 2021 +0000
core161: add pakfire.conf and pakfire/lib/functions.pl
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit ec18a1ecae60c6c3b6418e300aebd6a823844c8d Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Oct 14 19:01:49 2021 +0000
pakfire: Allow pinning Pakfire to one mirror server
This patch adds a new $mirror option to the configuration file which will cause Pakfire to only use this one to download any files.
This feature is disabled by default but useful for development.
Fixes: #12706 Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 56702858529ae1bf75e21da3ef00f136bacedfcd Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 11:27:58 2021 +0000
core161: add index.cgi and general-functions.pl
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 637eb94684cb0029ca76bb67dda8a8d2c15560ab Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Oct 14 13:26:30 2021 +0000
index.cgi: Remove left-over DNSSEC status warning
An error message is still shown although there is no option to disable DNSSEC at the moment. The old marker file could still be present on older machines.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0165dd40256fb1fe8474140cf54eb30cfb9fb7f3 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 19 11:23:12 2021 +0000
core161: add partresize
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a09578f4eb954ea982926daab53c34492df05b43 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Oct 14 12:00:31 2021 +0000
OCI: Enable serial console by default
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 80909fb6da64a911c900df50805fd5866685faf0 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 18 18:57:18 2021 +0200
strongswan: update _updown to use conmark for QoS
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 819fdfb17a3cbc7c25ce098be83896bcd3311567 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 18 14:44:59 2021 +0200
QoS: imgress Connmark restore, layer7 and IPSec handling
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 03c7877845a147029fa122f35ea5a1a3289aacf6 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 18 00:35:42 2021 +0200
kernel: update to 5.10.74
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 3c838a59ea59e3f47fbb0b381a4e2b7f7a8f3571 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Oct 16 10:18:42 2021 +0200
makeqosscripts: add missing parenthesis at QOS_OUT Layer7 rules.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 79930b29a4cf0e891c294c3a1db22b0d7c0a03f1 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 15 08:07:04 2021 +0200
kernel: update to 5.10.73
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit b04724fd348c2f4e41607603ab25c1f18b96a919 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 15 06:00:08 2021 +0000
u-boot-friendlyarm: copy binary from core159
this u-boot version cannot build without python2 that is removed with core161 so this copy the binary from older build.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c8bb619a71cdea01bc86fe20d2d73f8fec4cf7e0 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 13 16:36:59 2021 +0000
core161: remove python2 module from collectd
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 97ac4778bbbc73d8e5a430fa750f133fd3590f8e Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 13 16:33:43 2021 +0000
core161: now use 2to3 of python3
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit b0302f7fad48b64c4cab3a1357c5e5fd6dd9ffa7 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 13 12:33:09 2021 +0000
core161: remove python2 at update
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit d5bb33744ac0ec18e0f8eb1e74cceb6c02aa3083 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Aug 24 12:34:53 2021 +0200
python: removal of python2 from IPFire
- Final patch for removal of python2 from IPFire. This can be implemented in an appropriate Core Update after all other python2 related patches have been implemented and confirmed working.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 81acbae3f14da9cb2faa69559488ab1435925df1 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Oct 8 19:22:24 2021 +0200
nano: Update to 5.9
For details see: https://www.nano-editor.org/news.php
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 8e3167cc44c8a46eac7b9cc6d7b5987333bc4f23 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 13 12:23:40 2021 +0000
guardian: bump PAK_VER
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 2f6232d56cf6e02370377ace649e529c35c13655 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Oct 9 11:23:25 2021 +0200
Bought a 'd' - fixed an old typo
'bandwith...' should be 'bandwidth...'.
Despite being my favourite typo for the past few years(?), today I decided to try to say 'Goodbye' to an old friend.
Similar to 'MB writen' its hard but I think it just about time.
'qos' and 'guardian' will never be the same for me... ;-)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 13aeb192178b57bc1b14abc514a022ca89cc87bd Author: Peter Müller peter.mueller@ipfire.org Date: Sun Oct 10 21:43:14 2021 +0200
proxy.cgi: Remove option to show Squid's version entirely
There is no sense to display this to anybody, and we do not reveal version information anywhere else on purpose. The IT staff knows which version of IPFire they are running (hopefully the latest), and it's none of the rest of the world's business.
Fixes: #12665 (in some way)
Signed-off-by: Peter Müller peter.mueller@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 61cc803fadf4beef80793a691c18d6a4f186863f Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 13 12:16:45 2021 +0000
core161: add squid-asnbl and proxy.cgi
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit cb17776812e1f3b3c780637c107b0da14416306f Author: Peter Müller peter.mueller@ipfire.org Date: Sun Oct 10 19:44:06 2021 +0200
langs: Add English and German translations for newly added web proxy features
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit bb5ca28313ccfe3a4cb901a33c0601d916782f0e Author: Peter Müller peter.mueller@ipfire.org Date: Sun Oct 10 19:43:41 2021 +0200
proxy.cgi: Implement proactive Fast Flux detection and detection for selectively announced destinations
This patch adds two new features to IPFire's web proxy:
(a) Proactive Fast Flux detection FQDNs are resolved to their IP addresses, which are then resolved to corresponding Autonomous System Numbers using IPFire's location database. Most destinations will scatter across a very low number of ASNs (not to be confused with IP addresses!). FQDNs hosted on Fast Flux setups have a significantly higher ASN diversity (5 is usually a good threshold), so they can be proactively detected.
(b) Detection for selectively announced destinations Especially in targeted operations, miscreants host FQDNs for exfiltrating data or malware distributions on ASNs not announced globally, but only to the intended victim or it's upstream ISPs.
That way, security researchers located in other parts of the internet have no insights into these attacks, hence not being able to publish listings or send take down notices for the domains used.
While RPKI made this attack harder, it can still be observed every now and then.
This feature also protects against accessing FQDNs resolving to IP addresses not being globally routeable, hence providing a trivial mitigation for so-called "rebound attacks" - which we cannot filter at DNS level currently.
The second version of this patch consumes the user-defined whitelist for the URL filter (if present and populated) for the ASNBL helper as well, to make exceptions for funny destinations such as fedoraproject.org possible. In addition, the ASNBL helper's sanity tests no longer include publicly routable IP addresses, so failures on location01 cannot brick IPFire installations in the field.
Thanks to Michael Tremer and Adolf Belka for these suggestions.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 2b591415539ee80fb71d282eccad22b937d2ee96 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Oct 10 19:43:18 2021 +0200
squid-asnbl: New package
This package adds an ASNBL helper for detecting Fast Flux setups and selectively announced networks (i. e. FQDNs resolving to IP addresses not being announced by an Autonomous System) to the distribution. Afterwards, the helper script is located at /usr/bin/asnbl-helper.py .
The second version of this patch updates squid-asnbl to upstream version 0.2.2, improving logging in case of detected Fast Flux setups.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit e314dc82a85f4e8d0f3f18f6f48fd2e4e1cabef7 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 13 12:10:04 2021 +0000
core161: add hexdump
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 45124fbbc286d8cb325615d4e5b512fb651cf1fe Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Oct 10 12:57:42 2021 +0000
util-linux: Ship hexdump
This is a handy tool which can help debugging any problems and should be part of the distribution.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9f9d0974f00bc520e6a59f0c89096dda09adf353 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Oct 9 23:07:43 2021 +0200
client175: Removal of this package as it currently only works with python2
- Removal of the lfs, rootfile and initscript - Removal of client175 entry in the make.sh file
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c59dc6a724b0da61d65ea1be603e6b27b4da8a68 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 13 12:08:30 2021 +0000
core161: add makegraphs and hddshutdown
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit cbf3a350ac15b1e3a27db0411a5623ba5ce40e71 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Oct 8 23:38:24 2021 +0200
makegraphs: Update script for new iostat output format - Bug#12702
- Modification of iostat line as per input in Bug#12702
Fixes: 12702 Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 74b9fcc65e73802926ce6c1cc3d488598b361802 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Oct 8 23:38:23 2021 +0200
hddshutdown: Update script for new iostat output format - Bug#12702
- Modification of iostat line as per input in Bug#12702
Fixes: 12702 Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a4d0d0a1e4ac946ff65bd65d03a6f705d69f8134 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 13 12:03:56 2021 +0000
core161: add apache2
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit b6ef9f4b3e2a2fb8ea69c6721ba73c08d855ad08 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Oct 8 19:12:40 2021 +0200
apache: Update to 2.4.51
For details see (2.49): https://dlcdn.apache.org//httpd/CHANGES_2.4.49
For 2.51: https://dlcdn.apache.org//httpd/CHANGES_2.4.51
"SECURITY: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (cve.mitre.org) It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient..."
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9b189f44939fbf4743520e17fc59edda6ebadbca Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 13 12:00:11 2021 +0000
core161: add firewall changes to update
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 51c4b73f7a417ff56e27f913cd3254f549ead99a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 4 18:52:22 2021 +0100
IPsec: Replace MARK 50 by 0x00800000
This change is necessary because we are using the right-hand two bytes for storing the QoS classes.
All IPsec traffic will now be skipped and never classified by the QoS.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit f857c5c63040664414dc07838052155305136c5a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 4 18:52:21 2021 +0100
QoS: Make outgoing packet processing use CONNMARK
This will significantly reduce the load when classifying outgoing traffic as there won't be any overhead as soon as the connection has been classified. The classficiation is being stored in the iptables MARK which will be copied to CONNMARK if changed.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0bb882c4bb9acefe26a5713520e5c4ce42cafd79 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 4 18:52:20 2021 +0100
QoS: Drop support for hardcoded ACK rules
This feature has to go in order to take advantage of CONNMARK which will drastically decrease CPU load when passing packets.
We no longer will see every packet in the QOS-INC chain in order to change classification of that packet. It is also party counter-intuitive to have parts of one connection in one class and the corresponding ACK packets in another.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c825fcef40f63c8ce39a50b7285dbca98e2db60b Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 4 18:52:19 2021 +0100
firewall: Always restore all connection marks
This was done by tc only when QoS was enabled
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 45329c0a66d2f1f7bf4d215489ece6bc1714dfe3 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 4 18:52:18 2021 +0100
QoS: Use the two right hand bytes to mark packets
In order to not deal with any marks from NAT and the IPS, this patch adds masks to all places where packets are being marked for individual QoS classes.
Instead of being able to use the "fw" match in tc, we have to use the u32 to apply the mask.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit ce31144c629354d32fcb41ea69f0dbc5e426eea7 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 4 18:52:17 2021 +0100
firewall: Only check relevant bits for NAT fix rules
In order to use the highest two bits for surciata bypass, we will need to make sure that whenever we compare any other marks, we do not care about anything else.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 5c372259e3132fa77a8238400b707d7aa398dc15 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 10 13:23:30 2021 +0200
kernel: update to 5.10.72
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 8bb805760f607ee1451ce8b2e033d5af073282dc Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 10 13:22:48 2021 +0200
kernel: add realtek rtl88x2bu wlan module
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 58f6264fa42abe2b889b5d291d8fea91088a9c8e Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 10 06:46:25 2021 +0000
kernel: update to 5.10.71
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 02fadedf8dfb0143b5b49c4d59eb243eefc0f4c3 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 10 06:45:09 2021 +0000
initskrips: leds: add nanopi r2s support
commit 13e001f5c258373c1d7ecd6bfd6e2c5aa4f9dc7d Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 8 19:54:29 2021 +0000
kernel: config for nanopi r2s
some drivers does nozt work as module so they are now compiled into main kernel
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit fe582c9d7c2379710c13d3266d05307ff23c9aca Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 8 12:05:36 2021 +0000
u-boot: nanopi r2s: add bootcmd and 2nd mac address
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0b29b37c57415784d55373b36fb291bc7b07eb5b Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 4 06:13:18 2021 +0000
u-boot: bootscript try to use also devnum instead of dev_num
on newer board the variable was renamed.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit dac49f1b119b639fdca9b36e6af8706b41fbb821 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 4 06:07:30 2021 +0000
u-boot: set nanopi r2s baudrate to 115200
default is 150000 but many usb-ttl adapters are unstable at this rate.
commit 954ac9df0441ebbca230cd2e0adcd91cbb9c97c1 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 3 07:42:41 2021 +0000
flash-images: install u-boot for nanopi r2s on aarch64
rockchip has a large bootloader so this also increase the gap between partitiontable and fist partition to 16MB on aarch64
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 1f38bac05383eef9c8065f7834f35779e79ab966 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 3 07:39:04 2021 +0000
u-boot: add nanopi r2s build
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 4c59cad1c0f8ee5846c39007bd6734b35d66264c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 3 07:30:57 2021 +0000
dtc: add device tree compiler on aarch64
u-boot for nanopi r2s (rockchip rk3328) need dtc to build the image so this adds dtc as build dependency for u-boot
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 577c7c09fa226bbf5f2775628f4ff330bf16c98a Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 1 23:23:01 2021 +0200
kernel: update to 5.10.70
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit b0bb1450fdc450ab239adfccda04420e5bece546 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 24 10:14:50 2021 +0100
media.cgi: Fix parsing output of iostat
Since the last update of sysstat, the output of iostat has changed and the web user interface showed wrong values.
This is now being fixed in this patch.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 3d17e0d68316b4475bae73ca39f4bb59e9fcdf5e Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Sep 27 12:21:51 2021 +0200
kernel: update to 5.10.69
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 13fcfb9a0e81a14ee125e7e51f342d758263da63 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Sep 26 14:58:27 2021 +0200
kernel: update to 5.10.68
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9d20b293b83c78dde7234fa3d3912d2b754df8cd Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Sep 26 08:40:32 2021 +0000
kernel: arm rootfile update
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 62f705316b81d4b7f452e6380112696d33571381 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Sep 25 13:19:25 2021 +0000
kernel: aarch64 enable drivers for common ROCKCHIP boards
thx to Fukan K fixes #12681
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a21d6a30ced4d4cbf814712277de9ec41d97b412 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Sep 25 13:07:36 2021 +0000
kernel: aarch64 oldconfig
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 5b659043a98ecd92c5f7fa1a550262ae99476bb2 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Sep 24 09:31:52 2021 +0000
wlanap.cgi: fix typo at reading country list
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 6d8cc5a74eef140b28c62b23b6973c06b15ec8f2 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Sep 20 23:46:14 2021 +0200
kernel: x86 rootfile update
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 037dc6b9bc5bbc1138ea5075d14d61ba19aaada9 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Sep 20 23:45:56 2021 +0200
kernel: update to 5.10.67
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit cbbed5bc1487ca0e3343b0aaf777abea258ef49c Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:29 2021 +0000
kernel: Enable all cgroups on all architectures
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9df49966d6c511227debbfca57dbe1ad38664f87 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:28 2021 +0000
kernel: Zero-init all stack variables by default
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit b7ed5dc81796dbc49b48306259bd72fbd35c107f Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:27 2021 +0000
kernel: Enable support for TPM hardware
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 9012cffdb6588448de51a592dd1bdfeb6cd3ec05 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:26 2021 +0000
kernel: Enable ExFAT on all architectures
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 340f155649ee22afa19f1b6677e35a3d155a7898 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:25 2021 +0000
kernel: Enable frontswap
"Frontswap provides a “transcendent memory” interface for swap pages. In some environments, dramatic performance savings may be obtained because swapped pages are saved in RAM (or a RAM-like device) instead of a swap disk."
https://www.kernel.org/doc/html/latest/vm/frontswap.html
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 15f53912a1a474a2f0cce9a1cd1478276395f3ff Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:24 2021 +0000
kernel: Disable network security hooks
This is a feature we do not use and it should therefore be disabled
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c913c9862cef699125149dc0ba40adc86eff05c6 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:23 2021 +0000
kernel: Disable OpenvSwitch
We do not use this and so we should not build it to save space.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit fef9a33846217b0257eda627a3aa6528b70adc86 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:22 2021 +0000
kernel: Disable any runtime testing
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 828d3d2525a449c45b719a31fba800558a0c3b18 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:21 2021 +0000
kernel: Disable SLUB debugging
This is not necessary on our systems and according to the documentation will reduce code size of the allocator which will result in better performance.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 034a2402fc24083ec99e5caa70c45a1d810c9d33 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:20 2021 +0000
kernel: Enable Pressure Stall Information
This is a new type of metric to find out what resource is currently a bottleneck for the whole system. We might use this for graphs.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit f58a8cb16f487441a86ea48ae6aaf06eb9f6e7e5 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:19 2021 +0000
kernel: Disable IRQ time accounting
This feature is now disabled (was disabled on ARM before) as we do not need it:
"Select this option to enable fine granularity task irq time accounting. This is done by reading a timestamp on each transitions between softirq and hardirq state, so there can be a small performance impact."
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c0932f8fbece2beb13644605d85b599fe33505e4 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:18 2021 +0000
kernel: Disable suspending systems to RAM
We do not make any use of this functionality
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 0e83b0d03c0907d99f7f709482476267c903c2dd Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Sep 17 11:42:17 2021 +0000
kernel: Change timer tick to 1000Hz
This change is required to make the system respond faster to any realtime events (sending or receiving data packets).
It will wake up at least one core 1000 times a second which will result in finer timer granularity and make scheduling smoother. HTB for example sends large packet bursts on each timer even to keep up data rates which is not helpful for most applications.
The change might increase resource consumption and overhead slightly on some systems, but since we are running in an idle-dyntick configuration, we should not keep awake any cores that have not been awake before.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit f06578af15465ab9eedca2e4840d070b8497a81c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Sep 20 13:57:26 2021 +0000
core161: start updater
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
hooks/post-receive -- IPFire 2.x development tree