[git.ipfire.org] IPFire 2.x development tree branch, master, updated. 56b9e4553e150d514a47de1af7fae2abc43bdd0f

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, master has been updated via 56b9e4553e150d514a47de1af7fae2abc43bdd0f (commit) via e42d35f4964f0c72c0383d64ffd960274a667b3a (commit) via 70defeb036de5e8043a867f08effdc741d95fe99 (commit) via 35a21a254d2d45488eea77eb6a6e947f38c4e388 (commit) via a9efe3bd68f83c2281ba934a872ff0100fa9b863 (commit) via f770b72899bcd7977a83e0237c9840804f6a46ca (commit) via f7d4c48ded189f935d0eb0c836caca35873e554f (commit) via f75dee7afd8b2cf3a7b0cb6da4a041e652901576 (commit) via 769a0c072ab720218a9c6c2960d04173a04f4d5f (commit) via 28bee14eccbc3e2cada73cbbe84634e070c8c8bc (commit) via c88002c48b8011dfec3aefe66f66769e786db11b (commit) via ea2b8089e69e3741ac3a3f3f24bc9f0b409d04d0 (commit) via 9ce3b858a616613539eb4319bf621a50bc8d33eb (commit) via 4bfec109e7ed1856c8f39de83bb8d213e9ba13a4 (commit) via 63cbd2c1df71e246a51b614a2549869168399b10 (commit) via 2913185aa487b605e38bdd5b5ac3820d1fa6f654 (commit) via a4e9b9d8e085455fce6ba632da4829a959f3cc96 (commit) via 89f7654673365ed30be80f01ec2d83ed1b73b13b (commit) via 87fb870b5edc65d6323f1ef2eb4dba8e6ef8045d (commit) via b6f571fa88735dcde1dfa8b4c584220fb14bf143 (commit) via 6411f1baa6e3d1a89df72327b7c8b5cb2fa8202a (commit) via b22d8aaf4ad26840cc6907580e6bd0cfea73b160 (commit) via 71af643cda77f02a006613f3fcc1a223a88f01a6 (commit) via 3045d6abde3e8eff0d1dac4fe8afe397f65f66cd (commit) via 93a08fe26132b91bc3d47d83e13bf79a3b4c5c77 (commit) via 123205fdbf2624a78449044c11cff5e77dd3f8e3 (commit) via 60fcb2410e4db68625ef080bdf3d99d79e7b5abb (commit) via 843ca290e1be08ddf614cb087b7ddc24d1dada1c (commit) via 6feea5f77819febc1b7f75420b00881655039dbe (commit) via 673351d8a2b3b2c2ac3cc1367fc623c83fef67bc (commit) via 12b5c00d3e598d71682813c9421bbc84c510f042 (commit) via ec72ebbfdadf0a6c906a734d480c726735e6fbfe (commit) via b209d63dc060de463ba513f69de65982384147af (commit) via 16cb6ae3d0c44199681bcc27284dde5184cbcc01 (commit) via c98981ae3d23db0270f43ed4647cfc10ad89b697 (commit) via 5215a0f2c11911ee2750f8dc3f7ebca4212aa13a (commit) via 8d4cae873609b48a93a0758c8db33df0666355ae (commit) via e0d5c35122ee5936910b56cc429815e623979f2f (commit) via bd64e2a02a0984d8f8641cfafca4773541c25f60 (commit) via c267b2da2dc5617b0daee33f3fceb4f81a3bb3cf (commit) via 6e11539dc2c3c3e5d65abc4a0bce74b4e1ce1714 (commit) via a14e8d0256919b75612a67f2c6ceaffb979a4428 (commit) via 038169b894f1914b3cbd6513fea5f307bcc4ab12 (commit) via 39ed5389fc6de2c7f602d26ba21f0cf9e5fdabc6 (commit) via 159c9eb9b1ac6144db50e4677132c51ddf2d8ceb (commit) via 4c5c4f3afcfe65c3bfc2d278304a35fd69965eae (commit) via 52daacc5c486daa38989883dc74618e758a33e4f (commit) via a057a976551e3554d123f5aef1f03583b819feb9 (commit) via 2b952557f4c963bdca3a4a9cf0e6c25ff6d19771 (commit) via 364452506fcc7170c000d2ac7fe7ae67351a6241 (commit) via 4e8949e8177a13dde72946ea9d02d0c12badafe0 (commit) via 6be114f03a12086211234c05a4f7801416488c67 (commit) via 307327a946be2782f1858f30953d6a2fefc847d1 (commit) via 8b7417c50b8d3de46003bd40d779bef222dc4171 (commit) via 924f5d6f1aa07d92f3a946e29f4208593a0fe4d2 (commit) via 953ff6edb3e4f14b08a5accad9f80a319476fabe (commit) via ea3eac2c509aa4f8acee62095f54949d53f55276 (commit) via 609b862fe7c58c3d61244888c1f7a98cb7da66cb (commit) via 4bb2df502d0f542396891973c68f0ea259f0bd66 (commit) via 187154380c605e0ba1ffd3ed7d98145e2f57d35a (commit) via f4390974996ba0d416deab9c79446087c9a14750 (commit) via a9929e324f6dc121cca45f1959b7b8d2a47570fe (commit) via 075b6e10db482dd77ec2634f707634e895610941 (commit) via 80fbd8994934af3ac99d91a45ab1130e41a26ece (commit) via 2158e11ba983abbc747907d35d9fe36ca4295276 (commit) via cffa84a64e96766a849ef660cb4493069ad90f63 (commit) via a9a28430b5bce4f43fafd13f60b2e068eca1ea9a (commit) via a18b5b4f4d383aaf132ff9e10fd3c9345d74d933 (commit) via 01714866956b71bea0944cece60d2030861263f3 (commit) via 4504c412af12293e1500217a87e530a1eaa6f224 (commit) via 8235f17df5bdc1d5131c10bdfd40b40741bdebce (commit) via 75ccb6a6935506245f8957a386635b3db2e192fd (commit) via 1f011c6594fd416319e66e1a5c6a3877a517f2eb (commit) via 26e91280ea082e64e75eb8ff431054d198f1937c (commit) via 16016ff2b0c7e53a580d4584ab4de66e3d77e87d (commit) via 95b09c86d6f13fa4c59bdb012d60c4d5ffb39b9b (commit) via db151fde63cc88d42d584ffbfe753fc8b81d1c97 (commit) via 1d664fe1db6a42f4e64ec581f8ba8876eda6d815 (commit) via 55eb745e65ade706d6ded851086a42f2a1b8803b (commit) via dfe630f77c780c17238ae23392e52e68a41ab892 (commit) via c400bc2d7dc1c4e1f784f5bbd8c2d898b1faf97a (commit) via c6fba315ecd044bd53350641c2e6f27d9df785de (commit) via b1881251d6cdd92c7e887813395386afe9692944 (commit) via 4b046d735d28012d215276ea08272f298e1e8ba1 (commit) via d86694ad1f5c1553d57028af0bd8de58ca6d5f39 (commit) via 624615ee0731c45eff6bc964aa053d5e481aa30f (commit) via ed1d0fbdbe0a2c7990ac984ebeed4e74c7bd3955 (commit) via c9f0174979e9de685906e12a22e7625cd92dc90f (commit) via 1f2bda9ba3b58eaf186a90369d64aad914217908 (commit) via 7c8e022c4b3c7d184e4cee8f79b5e7d63f464759 (commit) via 8792caad90e968894fa55909b725055e7ac8f5c5 (commit) via 3db584817d41c055c462a77ac9fb50491766beaf (commit) via 36f7fe6a38c7923ac0e25a677484542f9388520a (commit) via 5fd7e84c499320c9ba1d81c78a706cd42b5bfc2c (commit) via 28fee67640d1c1f5ddc692c1c7f073fa8f115d3c (commit) via b510e12ac1deb8ac93fcfa7dc62a505affe0fdee (commit) via f5fb9a0466e6857ab4c8294a58e1cd7678d72b45 (commit) from 3a6784c065ca6513444f81d073874ff8118c6380 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 56b9e4553e150d514a47de1af7fae2abc43bdd0f Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Nov 10 21:15:21 2015 +0100

finish core95

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit e42d35f4964f0c72c0383d64ffd960274a667b3a Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Nov 10 21:13:51 2015 +0100

kernel: update to 3.14.57

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 70defeb036de5e8043a867f08effdc741d95fe99 Author: Alexander Marx alexander.marx@ipfire.org Date: Tue Nov 10 10:59:12 2015 +0100

BUG10964: When entering wrong data in dma setup, the fields are blanked

When entring wrong values in the fields and saving the site, there comes an errormessage and all fields except mailserver and port are blanked. Now the fileds are preserved and all data is displayed even after an errormessage

Signed-off-by: Alexander Marx alexander.marx@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 35a21a254d2d45488eea77eb6a6e947f38c4e388 Author: Alexander Marx alexander.marx@ipfire.org Date: Fri Jul 24 10:36:12 2015 +0200

BUG10902: Add statusfile line when editing an ovpn n2n connection

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit a9efe3bd68f83c2281ba934a872ff0100fa9b863 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Nov 9 17:33:50 2015 +0000

core95: Add changed network-functions.pl to updater

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit f770b72899bcd7977a83e0237c9840804f6a46ca Author: Alexander Marx alexander.marx@ipfire.org Date: Mon Nov 9 12:42:47 2015 +0100

BUG10940: remove leading zeros in ip address

in firewallgroups (hosts) an error was created when using ip adresses like 192.168.000.008. Now all leading zeros are deleted in firewallgroups and in the firewall itself when using single ip addresses as source or target.

Signed-off-by: Alexander Marx alexander.marx@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit f7d4c48ded189f935d0eb0c836caca35873e554f Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Nov 8 18:03:53 2015 +0100

core95: ship settime and timecheck scripts.

on some installations this scripts are outdated. Fixes: #10976

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit f75dee7afd8b2cf3a7b0cb6da4a041e652901576 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Nov 8 15:44:18 2015 +0100

core95: exclude ntp config files.

Fixes: #10974

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 769a0c072ab720218a9c6c2960d04173a04f4d5f Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Nov 8 15:42:53 2015 +0100

core95: exclude dma config files.

Fixes: #10975

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 28bee14eccbc3e2cada73cbbe84634e070c8c8bc Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Nov 8 10:04:13 2015 +0100

core95: add ipset to updater.

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit c88002c48b8011dfec3aefe66f66769e786db11b Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Nov 7 09:11:27 2015 +0100

ipset: fix build om arm.

Never hardcode KVER-ipfire in any patches because on arm there is no KVER-ipfire kernel.

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit ea2b8089e69e3741ac3a3f3f24bc9f0b409d04d0 Merge: 89f7654 9ce3b85 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Nov 5 21:39:39 2015 +0100

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

commit 9ce3b858a616613539eb4319bf621a50bc8d33eb Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 5 15:35:46 2015 +0000

core95: Ship changed mail.cgi

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 4bfec109e7ed1856c8f39de83bb8d213e9ba13a4 Author: Alexander Marx alexander.marx@ipfire.org Date: Sat Oct 31 07:34:56 2015 +0100

BUG10965: only write auth.conf if username/password are set

auth.conf was always written, even if no username/password provided. In this case only the ip or Hostname of the mailserver was written into auth.conf. Now the file is only filled if username/password are filled.

Signed-off-by: Alexander Marx alexander.marx@ipfire.org Tested-by: Timo Eissler timo.eissler@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 63cbd2c1df71e246a51b614a2549869168399b10 Author: Erik Kapfer erik.kapfer@ipfire.org Date: Thu Nov 5 06:29:01 2015 +0100

ipset: New package

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 2913185aa487b605e38bdd5b5ac3820d1fa6f654 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 5 11:44:57 2015 +0000

openvpn: The --up option only takes one single argument

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit a4e9b9d8e085455fce6ba632da4829a959f3cc96 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 5 11:44:04 2015 +0000

openvpn: Apply static routes on client site as well

Fixes: #10968

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 89f7654673365ed30be80f01ec2d83ed1b73b13b Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Nov 5 11:40:06 2015 +0100

openvmtools: enable build on x86_64

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 87fb870b5edc65d6323f1ef2eb4dba8e6ef8045d Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Nov 4 21:18:13 2015 +0000

core95: Ship updated packages

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit b6f571fa88735dcde1dfa8b4c584220fb14bf143 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Nov 1 15:30:01 2015 +0100

snort: Update to 2.9.7.6

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 6411f1baa6e3d1a89df72327b7c8b5cb2fa8202a Author: Erik Kapfer erik.kapfer@ipfire.org Date: Tue Jul 7 13:13:36 2015 +0200

lzo: Update to version 2.09

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit b22d8aaf4ad26840cc6907580e6bd0cfea73b160 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Oct 30 15:47:22 2015 +0000

openvpn: Embed the certificate and key file into configuration

This will allow to import just the configuration file into iOS and establish the VPN connection. Also works with many other OpenVPN clients.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 71af643cda77f02a006613f3fcc1a223a88f01a6 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Oct 30 15:47:21 2015 +0000

openvpn: Add option to download a client package with PEM files

This patch adds the option to download a client package that comes with a regular PEM and key file instead of a PKCS12 file which is easier to use with clients that don't support PKCS12 (like iOS) opposed to converting the file manually.

This requires that the connection is created without using a password for the certificate. Then the certificate is already stored in an insecure way.

This patch also adds this to the Core Update 95 updater.

Fixes: #10966

Signed-off-by: Michael Tremer michael.tremer@ipfire.org CC: Alexander Marx alexander.marx@ipfire.org

commit 3045d6abde3e8eff0d1dac4fe8afe397f65f66cd Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Oct 30 16:00:28 2015 +0000

openvpn: Apply static routes when N2N connection comes up

Fixes: #10968

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 93a08fe26132b91bc3d47d83e13bf79a3b4c5c77 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Nov 3 18:51:32 2015 +0100

dma: Update to 0.10

Sorry, I borked the PATCH from yesterday...second try:

dma: Update to 0.10 Changes: dns.c, do not treat unreachable DNS server as permanent error See: https://github.com/corecode/dma/commit/1a1306df018bd62cf1c5feb2e6e664f656bc9...

Deleted unnecessary blank lines in 'mail.cgi'

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 123205fdbf2624a78449044c11cff5e77dd3f8e3 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Nov 1 21:49:22 2015 +0100

core95: add upadated backup exclude list.

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 60fcb2410e4db68625ef080bdf3d99d79e7b5abb Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Nov 1 11:20:56 2015 +0100

firewall: fix disable MASQERADE in green only mode.

using MASQERADE_GREEN="off" will not work because "NETWORK_GREEN" is not correctly defined in green only mode.

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 843ca290e1be08ddf614cb087b7ddc24d1dada1c Merge: 673351d 6feea5f Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Oct 31 21:44:51 2015 +0000

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

commit 6feea5f77819febc1b7f75420b00881655039dbe Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Oct 31 21:40:47 2015 +0000

credits.cgi: Update credits

Promotes Alexander Marx to the group of Core Developers.

Also lots of reformatting of old HTML code.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 673351d8a2b3b2c2ac3cc1367fc623c83fef67bc Author: Lars Schuhmacher larsen007@web.de Date: Fri Oct 30 23:59:08 2015 +0100

Fix unnecessary space character in "E-Mail Absender"

Fix unnecessary space character in "E-Mail Absender".

Replaces the space character with a dash as is correct and already used in the other words in that part.

Signed-off-by: Lars Schuhmacher larsen007@web.de Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 12b5c00d3e598d71682813c9421bbc84c510f042 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Oct 31 17:29:14 2015 +0100

core95: add kernel to updater.

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit ec72ebbfdadf0a6c906a734d480c726735e6fbfe Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Oct 31 17:07:01 2015 +0100

core95: add ntp, backup and geoip changes to updater.

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit b209d63dc060de463ba513f69de65982384147af Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Oct 31 17:04:47 2015 +0100

backup: exclude lm_sensors config.

this config is hardware dependend and will autodetected at boot. fixes #10865

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 16cb6ae3d0c44199681bcc27284dde5184cbcc01 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sat Oct 31 16:55:17 2015 +0100

geo-ip: download initial database in background.

on slow internet connections like gprs the first start hung many minutes.

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit c98981ae3d23db0270f43ed4647cfc10ad89b697 Merge: 6e11539 5215a0f Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Oct 29 23:25:45 2015 +0000

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

commit 5215a0f2c11911ee2750f8dc3f7ebca4212aa13a Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 28 19:36:22 2015 +0100

e1000e: update to 3.2.7.1

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 8d4cae873609b48a93a0758c8db33df0666355ae Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 27 17:31:51 2015 +0100

kernel: update to 3.14.56

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit e0d5c35122ee5936910b56cc429815e623979f2f Merge: bd64e2a c267b2d Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 27 17:31:19 2015 +0100

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

commit bd64e2a02a0984d8f8641cfafca4773541c25f60 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Oct 27 16:57:24 2015 +0100

kernel: genksyms fix empty symbol crc.

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit c267b2da2dc5617b0daee33f3fceb4f81a3bb3cf Author: Matthias Fischer matthias.fischer@ipfire.org Date: Mon Oct 26 16:25:24 2015 +0100

snort 2.9.7.6: removed unrecognized configure options in lfs file

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 6e11539dc2c3c3e5d65abc4a0bce74b4e1ce1714 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Mon Oct 26 12:24:51 2015 +0100

ntp: Update to 4.2.8p4

ntp-Update to 4.2.8p4, regarding "13 low- and medium-severity vulnerabilities".

For a complete list, see: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit a14e8d0256919b75612a67f2c6ceaffb979a4428 Merge: 038169b 3a6784c Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 25 09:21:12 2015 +0100

Merge remote-tracking branch 'origin/master' into next

commit 038169b894f1914b3cbd6513fea5f307bcc4ab12 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Oct 23 11:00:03 2015 +0200

kernel: uppdate to 3.14.55

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 39ed5389fc6de2c7f602d26ba21f0cf9e5fdabc6 Merge: 159c9eb 374e636 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Oct 22 23:38:27 2015 +0200

Merge remote-tracking branch 'origin/master' into next

commit 159c9eb9b1ac6144db50e4677132c51ddf2d8ceb Merge: 4c5c4f3 d7b82e7 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Oct 22 13:11:17 2015 +0200

Merge remote-tracking branch 'origin/master' into next

commit 4c5c4f3afcfe65c3bfc2d278304a35fd69965eae Merge: 52daacc a057a97 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 21 21:02:19 2015 +0200

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

commit 52daacc5c486daa38989883dc74618e758a33e4f Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Oct 21 18:48:32 2015 +0200

kernel: update to 3.14.54

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit a057a976551e3554d123f5aef1f03583b819feb9 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Oct 21 17:34:41 2015 +0100

dhcp rfc2136: dhcpd does not seem to support SHA-1

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 2b952557f4c963bdca3a4a9cf0e6c25ff6d19771 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Oct 21 13:52:22 2015 +0100

core95: Ship DHCP RFC2136 changes

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 364452506fcc7170c000d2ac7fe7ae67351a6241 Merge: 4e8949e 5fd7e84 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Oct 21 13:50:07 2015 +0100

Merge remote-tracking branch 'ms/dhcp-rfc2136-broken-down' into next

commit 4e8949e8177a13dde72946ea9d02d0c12badafe0 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Oct 18 19:20:18 2015 +0100

core95: Ship changed routing.cgi file

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 6be114f03a12086211234c05a4f7801416488c67 Author: Alexander Marx alexander.marx@ipfire.org Date: Sat Oct 17 19:27:03 2015 +0200

BUG10941: fix single ip-addresses when no subnet given

Some functions when adding a new route where senseless. Now the ip address is checked and in case of a missing / wrong subnetmask an errormessage is raised. The ip address is preserved. ELSE we convert the subnetmask to cidr notation and calculate the network ip correctly.

Signed-off-by: Alexander Marx alexander.marx@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 307327a946be2782f1858f30953d6a2fefc847d1 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Oct 18 19:19:31 2015 +0100

core95: Ship changed firewall.cgi file

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 8b7417c50b8d3de46003bd40d779bef222dc4171 Author: Alexander Marx alexander.marx@ipfire.org Date: Sat Oct 17 18:32:10 2015 +0200

BUG10806: fix wrong customhostgroupcheck

The function to check for valid hostgroup entries not only checked the target hostgroup but also the source hostgroup if any. This lead to the error. Now the check only affects target hostgroups because it does not matter if a sourcegroup contains mac addresses.

Signed-off-by: Alexander Marx alexander.marx@ipfire.org

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 924f5d6f1aa07d92f3a946e29f4208593a0fe4d2 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Oct 18 18:54:25 2015 +0100

core95: Ship changed firewalllogcountry.dat

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 953ff6edb3e4f14b08a5accad9f80a319476fabe Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Oct 18 13:23:32 2015 +0200

firewalllogcountry.dat: Do not show 'Details' button for unkonw location.

The CGI offers the posibility to get more details for a certain locations by clicking on a button.

This feature cannot be used for the category "unknown". To prevent users from beeing confused about non show-able details, I added some code to hide this button for this category.

Fixes #10726.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit ea3eac2c509aa4f8acee62095f54949d53f55276 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Oct 18 18:52:07 2015 +0100

core95: Ship changed pppsetup.cgi

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 609b862fe7c58c3d61244888c1f7a98cb7da66cb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Oct 18 14:25:50 2015 +0200

pppsetup.cgi: Fix site layout when no TYPE is specified

There was an issue with false generated HTML code, in case of an empty or unset $pppsettings{'TYPE'} variable which results in a missplaced website footer.

This patch moves the code for closeing the table and the call of the closebox() function to the correct place to prevent this display issue.

Fixes #10565.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 4bb2df502d0f542396891973c68f0ea259f0bd66 Author: Dirk Wagner dirk.wagner@ipfire.org Date: Sat Oct 17 20:55:17 2015 +0200

monit addon: Upgrade to 5.14

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 187154380c605e0ba1ffd3ed7d98145e2f57d35a Author: Dirk Wagner dirk.wagner@ipfire.org Date: Sat Oct 17 20:52:13 2015 +0200

asterisk addon: Update to 11.20.0

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit f4390974996ba0d416deab9c79446087c9a14750 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Oct 17 01:27:07 2015 +0100

core95: Ship ddns update

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit a9929e324f6dc121cca45f1959b7b8d2a47570fe Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Oct 17 01:27:04 2015 +0200

ddns: Update to 009

This update contains the latest upstream changes which are a better SSL error handling and support for desec.io.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 075b6e10db482dd77ec2634f707634e895610941 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Oct 15 22:46:33 2015 +0100

core95: Ship IPsec blocking changes

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 80fbd8994934af3ac99d91a45ab1130e41a26ece Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Oct 3 22:31:53 2015 +0100

ipsec: Add block rules to avoid conntrack entries

If an IPsec VPN connections is not established, there are rare cases when packets are supposed to be sent through that said tunnel and incorrectly handled.

Those packets are sent to the default gateway an entry for this connection is created in the connection tracking table (usually only happens to UDP). All following packets are sent the same route even after the tunnel has been brought up. That leads to SIP phones not being able to register among other things.

This patch adds firewall rules that these packets are rejected. That will sent a notification to the client that the tunnel is not up and avoid the connection to be added to the connection tracking table.

Apart from a small performance penalty there should be no other side-effects.

Fixes: #10908

Signed-off-by: Michael Tremer michael.tremer@ipfire.org Cc: tomvend@rymes.com Cc: daniel.weismueller@ipfire.org Cc: morlix@morlix.de Reviewed-by: Timo Eissler timo.eissler@ipfire.org

commit 2158e11ba983abbc747907d35d9fe36ca4295276 Author: Larsen larsen007@web.de Date: Sat Oct 10 23:24:16 2015 +0200

IPSec VPN: Add "required" marker for "organization name"

IPSec VPN: Add "required" marker for "organization name"

Fixes https://bugzilla.ipfire.org/show_bug.cgi?id=10846

Signed-off-by: Lars Schuhmacher larsen007@web.de Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit cffa84a64e96766a849ef660cb4493069ad90f63 Author: Larsen larsen007@web.de Date: Sat Oct 10 23:07:19 2015 +0200

Translation improvements

Translation improvements

Signed-off-by: Lars Schuhmacher larsen007@web.de Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit a9a28430b5bce4f43fafd13f60b2e068eca1ea9a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Oct 10 18:07:38 2015 +0200

tor.cgi: Fix missing country flag icons.

The CGI now is using the GeoIP::get_flag_icon function provided by the geoip-functions.pl, which takes care of the changed flag icons shipped by core update 90.

Fixes #10919.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Tested-by: Jan Paul Tuecking jan.paul.tuecking@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit a18b5b4f4d383aaf132ff9e10fd3c9345d74d933 Merge: 4504c41 0171486 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Oct 15 11:59:44 2015 +0100

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

commit 01714866956b71bea0944cece60d2030861263f3 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Oct 4 16:01:33 2015 +0200

sox: Disable parallel build

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 4504c412af12293e1500217a87e530a1eaa6f224 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Oct 3 19:53:57 2015 +0100

procps: Ship pgrep

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 8235f17df5bdc1d5131c10bdfd40b40741bdebce Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Oct 3 19:15:36 2015 +0100

strongswan: Update to 5.3.3

ChaCha is disabled since our kernel does not support it yet

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 75ccb6a6935506245f8957a386635b3db2e192fd Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Oct 2 19:00:13 2015 +0100

krb5: Disable parallel build

Builds of this package crash randomly on all architectures which might be related to the parallel build.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 1f011c6594fd416319e66e1a5c6a3877a517f2eb Author: Arne Fitzenreiter arne_f@ipfire.org Date: Thu Oct 1 11:14:58 2015 +0200

backports: add Tevii S482 patch

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 26e91280ea082e64e75eb8ff431054d198f1937c Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 20:14:42 2015 +0100

Rootfile update

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 16016ff2b0c7e53a580d4584ab4de66e3d77e87d Merge: 95b09c8 55eb745 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Sep 28 18:42:57 2015 +0200

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

commit 95b09c86d6f13fa4c59bdb012d60c4d5ffb39b9b Merge: db151fd c5a5e4a Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Sep 28 18:40:32 2015 +0200

Merge remote-tracking branch 'origin/master' into next

commit db151fde63cc88d42d584ffbfe753fc8b81d1c97 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Sep 28 18:39:26 2015 +0200

igb: update to 5.3.3.2

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 1d664fe1db6a42f4e64ec581f8ba8876eda6d815 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Sep 28 18:38:55 2015 +0200

e1000e: update to 3.2.4.2

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 55eb745e65ade706d6ded851086a42f2a1b8803b Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:35:54 2015 +0100

core95: Ship changed files

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit dfe630f77c780c17238ae23392e52e68a41ab892 Merge: c400bc2 3db5848 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:33:49 2015 +0100

Merge remote-tracking branch 'ms/experimental-vlan-hotplugging' into next

commit c400bc2d7dc1c4e1f784f5bbd8c2d898b1faf97a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:25:53 2015 +0100

core95: Ship changed files

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit c6fba315ecd044bd53350641c2e6f27d9df785de Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:24:44 2015 +0100

connections.cgi: Support multiple subnets for IPsec

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit b1881251d6cdd92c7e887813395386afe9692944 Merge: 4b046d7 7c8e022 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:21:18 2015 +0100

Merge remote-tracking branch 'ms/ipsec-subnets' into next

commit 4b046d735d28012d215276ea08272f298e1e8ba1 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:08:17 2015 +0100

Start Core Update 95

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit d86694ad1f5c1553d57028af0bd8de58ca6d5f39 Merge: 624615e 9dd1408 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Sep 28 14:05:26 2015 +0100

Merge branch 'master' into next

commit 624615ee0731c45eff6bc964aa053d5e481aa30f Author: Lars Schuhmacher larsen007@web.de Date: Fri Sep 25 23:01:17 2015 +0200

vpnmain.cgi - Replace spaces with tab characters and fix indentation

Replaced spaces with tab characters. Fixed indentation.

This is based on http://patchwork.ipfire.org/patch/88/ so that patch must be applied before.

Signed-off-by: Lars Schuhmacher larsen007@web.de Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit ed1d0fbdbe0a2c7990ac984ebeed4e74c7bd3955 Author: Lars Schuhmacher larsen007@web.de Date: Fri Sep 25 00:04:08 2015 +0200

IPsec: Remove GUI option for "Roadwarrior virtual IP"

This setting stems from IPCop (and probably Openswan) and causes a problem.

Fixes bug #10496.

Signed-off-by: Lars Schuhmacher larsen007@web.de Acked-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit c9f0174979e9de685906e12a22e7625cd92dc90f Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Sep 27 12:58:22 2015 +0200

kernel: update to 3.14.53

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 1f2bda9ba3b58eaf186a90369d64aad914217908 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Sep 27 11:23:11 2015 +0200

backports: enable build on x86_64.

backports 4.1.1-1 is not stable so we need to stay on the older version.

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 7c8e022c4b3c7d184e4cee8f79b5e7d63f464759 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Sep 22 00:26:14 2015 +0100

firewall: Support multiple subnets per IPsec tunnel

Fixes #10929

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 8792caad90e968894fa55909b725055e7ac8f5c5 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Aug 25 21:52:11 2015 +0100

ipsec: Support using multiple subnets per tunnel

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 3db584817d41c055c462a77ac9fb50491766beaf Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Aug 2 22:23:59 2015 +0100

Remove old VLAN initscript

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 36f7fe6a38c7923ac0e25a677484542f9388520a Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Aug 2 22:18:33 2015 +0100

udev: Add hotplugging for VLAN devices

The VLAN devices will now automatically be created after a parent device has been added.

Mainly this will resolve a race-condition between udev initialising the network adapters and sysvinit running scripts that will do the initialisation of the VLAN.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 5fd7e84c499320c9ba1d81c78a706cd42b5bfc2c Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 31 01:23:35 2015 +0200

dhcp-ddns: Set TTL to 1 minute

commit 28fee67640d1c1f5ddc692c1c7f073fa8f115d3c Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 16 00:54:42 2015 +0100

dnsmasq: Disable parsing leases when DNS Update is enabled

commit b510e12ac1deb8ac93fcfa7dc62a505affe0fdee Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Mar 16 00:54:20 2015 +0100

DHCP: Allow DNS Update configuration in the web user interface

commit f5fb9a0466e6857ab4c8294a58e1cd7678d72b45 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Mar 15 13:34:02 2015 +0100

DHCP: Allow using external name servers for leases

These changes allow a user to use RFC2136 in order to update their (public) DNS zone with the dynamic or static leases.

A TSIG key may optionally be used to authenticate the updates.

-----------------------------------------------------------------------

Summary of changes: config/backup/exclude | 1 + config/cfgroot/network-functions.pl | 13 + config/firewall/firewall-lib.pl | 5 +- .../firewall/ipsec-block | 66 +- .../kernel/kernel.config.armv5tel-ipfire-kirkwood | 3 +- config/kernel/kernel.config.armv5tel-ipfire-multi | 3 +- config/kernel/kernel.config.armv5tel-ipfire-rpi | 3 +- config/kernel/kernel.config.i586-ipfire | 6 +- config/kernel/kernel.config.i586-ipfire-pae | 6 +- config/kernel/kernel.config.x86_64-ipfire | 56 +- config/rootfiles/common/armv5tel/initscripts | 2 - config/rootfiles/common/i586/initscripts | 2 - config/rootfiles/common/ipset | 26 + config/rootfiles/common/lzo | 17 +- config/rootfiles/common/ntp | 505 +-- config/rootfiles/common/procps | 2 +- config/rootfiles/common/stage2 | 1 + config/rootfiles/common/strongswan | 1 + config/rootfiles/common/udev | 1 + config/rootfiles/common/x86_64/initscripts | 2 - config/rootfiles/common/x86_64/linux | 13 + config/rootfiles/common/x86_64/stage2 | 1 + config/rootfiles/core/{94 => 95}/exclude | 2 + .../95}/filelists/armv5tel/linux-kirkwood | 0 .../90 => core/95}/filelists/armv5tel/linux-multi | 0 .../90 => core/95}/filelists/armv5tel/linux-rpi | 0 .../{oldcore/93 => core/95}/filelists/ddns | 0 config/rootfiles/core/{94 => 95}/filelists/dma | 0 config/rootfiles/core/95/filelists/files | 26 + .../{oldcore/90 => core/95}/filelists/i586/linux | 0 .../90 => core/95}/filelists/i586/linux-initrd | 0 .../95}/filelists/i586/strongswan-padlock | 0 config/rootfiles/core/95/filelists/ipset | 1 + .../{oldcore/81 => core/95}/filelists/lzo | 0 .../{oldcore/28 => core/95}/filelists/ntp | 0 .../{oldcore/89 => core/95}/filelists/snort | 0 .../{oldcore/91 => core/95}/filelists/strongswan | 0 config/rootfiles/core/95/filelists/x86_64/linux | 1 + .../core/95/filelists/x86_64/linux-initrd | 1 + config/rootfiles/core/{94 => 95}/meta | 0 config/rootfiles/{oldcore/87 => core/95}/update.sh | 124 +- config/rootfiles/{core => oldcore}/94/exclude | 0 .../{core => oldcore}/94/filelists/armv5tel/glibc | 0 .../rootfiles/{core => oldcore}/94/filelists/bind | 0 .../{core => oldcore}/94/filelists/chkconfig | 0 .../{core => oldcore}/94/filelists/coreutils | 0 .../rootfiles/{core => oldcore}/94/filelists/dma | 0 .../{core => oldcore}/94/filelists/dnsmasq | 0 .../rootfiles/{core => oldcore}/94/filelists/file | 0 .../rootfiles/{core => oldcore}/94/filelists/files | 0 .../{core => oldcore}/94/filelists/fireinfo | 0 .../{core => oldcore}/94/filelists/hdparm | 0 .../{core => oldcore}/94/filelists/i586/glibc | 0 .../{core => oldcore}/94/filelists/iproute2 | 0 .../{core => oldcore}/94/filelists/libgcrypt | 0 .../{core => oldcore}/94/filelists/libgpg-error | 0 .../{core => oldcore}/94/filelists/openssh | 0 .../rootfiles/{core => oldcore}/94/filelists/pcre | 0 .../94/filelists/perl-Email-Date-Format | 0 .../{core => oldcore}/94/filelists/perl-MIME-Lite | 0 .../{core => oldcore}/94/filelists/rrdtool | 0 .../rootfiles/{core => oldcore}/94/filelists/setup | 0 .../rootfiles/{core => oldcore}/94/filelists/squid | 0 config/rootfiles/oldcore/{93 => 94}/meta | 0 config/rootfiles/{core => oldcore}/94/update.sh | 0 config/udev/60-net.rules | 4 + .../udev/network-hotplug-vlan | 82 +- doc/language_issues.de | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 7 + doc/language_issues.fr | 7 + doc/language_issues.it | 7 + doc/language_issues.nl | 7 + doc/language_issues.pl | 7 + doc/language_issues.ru | 7 + doc/language_issues.tr | 7 + doc/language_missings | 24 + html/cgi-bin/connections.cgi | 18 +- html/cgi-bin/credits.cgi | 101 +- html/cgi-bin/dhcp.cgi | 106 +- html/cgi-bin/firewall.cgi | 10 +- html/cgi-bin/fwhosts.cgi | 13 +- html/cgi-bin/ids.cgi | 6 +- html/cgi-bin/logs.cgi/firewalllogcountry.dat | 12 +- html/cgi-bin/mail.cgi | 35 +- html/cgi-bin/ovpnmain.cgi | 117 +- html/cgi-bin/pppsetup.cgi | 6 +- html/cgi-bin/routing.cgi | 12 +- html/cgi-bin/tor.cgi | 11 +- html/cgi-bin/vpnmain.cgi | 4385 ++++++++++---------- langs/de/cgi-bin/de.pl | 13 +- langs/en/cgi-bin/en.pl | 7 +- langs/es/cgi-bin/es.pl | 1 - langs/fr/cgi-bin/fr.pl | 1 - langs/it/cgi-bin/it.pl | 1 - langs/nl/cgi-bin/nl.pl | 1 - langs/pl/cgi-bin/pl.pl | 1 - langs/ru/cgi-bin/ru.pl | 1 - langs/tr/cgi-bin/tr.pl | 1 - lfs/asterisk | 6 +- lfs/backports | 4 + lfs/ddns | 4 +- lfs/dma | 6 +- lfs/e1000e | 6 +- lfs/igb | 6 +- lfs/initscripts | 1 - lfs/{libarchive => ipset} | 22 +- lfs/krb5 | 4 +- lfs/linux | 23 +- lfs/lzo | 15 +- lfs/monit | 6 +- lfs/ntp | 6 +- lfs/openvmtools | 4 +- lfs/snort | 12 +- lfs/sox | 2 +- lfs/stage2 | 2 + lfs/strongswan | 5 +- lfs/tor | 2 +- lfs/udev | 2 + make.sh | 15 +- src/initscripts/init.d/dnsmasq | 22 +- src/initscripts/init.d/firewall | 12 +- .../init.d/networking/red.up/99-geoip-database | 2 +- src/misc-progs/ipsecctrl.c | 4 + ...ckports-3.18.1-1_no_dma_sgtable_on_x86_64.patch | 26 + src/patches/linux-3.10-dvb_tevi_s482.patch | 240 ++ .../linux-genksyms_fix_typeof_handling.patch | 1360 ++++++ src/squid-accounting/acct.de.pl | 2 +- 128 files changed, 4895 insertions(+), 2836 deletions(-) copy src/installer/start-networking.sh => config/firewall/ipsec-block (58%) create mode 100644 config/rootfiles/common/ipset copy config/rootfiles/core/{94 => 95}/exclude (93%) copy config/rootfiles/{oldcore/90 => core/95}/filelists/armv5tel/linux-kirkwood (100%) copy config/rootfiles/{oldcore/90 => core/95}/filelists/armv5tel/linux-multi (100%) copy config/rootfiles/{oldcore/90 => core/95}/filelists/armv5tel/linux-rpi (100%) copy config/rootfiles/{oldcore/93 => core/95}/filelists/ddns (100%) copy config/rootfiles/core/{94 => 95}/filelists/dma (100%) create mode 100644 config/rootfiles/core/95/filelists/files copy config/rootfiles/{oldcore/90 => core/95}/filelists/i586/linux (100%) copy config/rootfiles/{oldcore/90 => core/95}/filelists/i586/linux-initrd (100%) copy config/rootfiles/{oldcore/91 => core/95}/filelists/i586/strongswan-padlock (100%) create mode 120000 config/rootfiles/core/95/filelists/ipset copy config/rootfiles/{oldcore/81 => core/95}/filelists/lzo (100%) copy config/rootfiles/{oldcore/28 => core/95}/filelists/ntp (100%) copy config/rootfiles/{oldcore/89 => core/95}/filelists/snort (100%) copy config/rootfiles/{oldcore/91 => core/95}/filelists/strongswan (100%) create mode 120000 config/rootfiles/core/95/filelists/x86_64/linux create mode 120000 config/rootfiles/core/95/filelists/x86_64/linux-initrd rename config/rootfiles/core/{94 => 95}/meta (100%) copy config/rootfiles/{oldcore/87 => core/95}/update.sh (72%) rename config/rootfiles/{core => oldcore}/94/exclude (100%) rename config/rootfiles/{core => oldcore}/94/filelists/armv5tel/glibc (100%) rename config/rootfiles/{core => oldcore}/94/filelists/bind (100%) rename config/rootfiles/{core => oldcore}/94/filelists/chkconfig (100%) rename config/rootfiles/{core => oldcore}/94/filelists/coreutils (100%) rename config/rootfiles/{core => oldcore}/94/filelists/dma (100%) rename config/rootfiles/{core => oldcore}/94/filelists/dnsmasq (100%) rename config/rootfiles/{core => oldcore}/94/filelists/file (100%) rename config/rootfiles/{core => oldcore}/94/filelists/files (100%) rename config/rootfiles/{core => oldcore}/94/filelists/fireinfo (100%) rename config/rootfiles/{core => oldcore}/94/filelists/hdparm (100%) rename config/rootfiles/{core => oldcore}/94/filelists/i586/glibc (100%) rename config/rootfiles/{core => oldcore}/94/filelists/iproute2 (100%) rename config/rootfiles/{core => oldcore}/94/filelists/libgcrypt (100%) rename config/rootfiles/{core => oldcore}/94/filelists/libgpg-error (100%) rename config/rootfiles/{core => oldcore}/94/filelists/openssh (100%) rename config/rootfiles/{core => oldcore}/94/filelists/pcre (100%) rename config/rootfiles/{core => oldcore}/94/filelists/perl-Email-Date-Format (100%) rename config/rootfiles/{core => oldcore}/94/filelists/perl-MIME-Lite (100%) rename config/rootfiles/{core => oldcore}/94/filelists/rrdtool (100%) rename config/rootfiles/{core => oldcore}/94/filelists/setup (100%) rename config/rootfiles/{core => oldcore}/94/filelists/squid (100%) copy config/rootfiles/oldcore/{93 => 94}/meta (100%) rename config/rootfiles/{core => oldcore}/94/update.sh (100%) rename src/initscripts/init.d/network-vlans => config/udev/network-hotplug-vlan (60%) copy lfs/{libarchive => ipset} (87%) create mode 100644 src/patches/backports-3.18.1-1_no_dma_sgtable_on_x86_64.patch create mode 100644 src/patches/linux-3.10-dvb_tevi_s482.patch create mode 100644 src/patches/linux-genksyms_fix_typeof_handling.patch

Difference in files: diff --git a/config/backup/exclude b/config/backup/exclude index 83db234..6f09a1f 100644 --- a/config/backup/exclude +++ b/config/backup/exclude @@ -1,4 +1,5 @@ *.tmp +/etc/sysconfig/lm_sensors /var/ipfire/ethernet/settings /var/ipfire/firewall/bin/* /var/ipfire/proxy/calamaris/bin/* diff --git a/config/cfgroot/network-functions.pl b/config/cfgroot/network-functions.pl index cb4ca3d..70fa5ed 100644 --- a/config/cfgroot/network-functions.pl +++ b/config/cfgroot/network-functions.pl @@ -122,6 +122,19 @@ sub network2bin($) { return ($network_start, $netmask_bin); }

+# Deletes leading zeros in ip address +sub ip_remove_zero{ + my $address = shift; + my @ip = split (/./, $address); + + foreach my $octet (@ip) { + $octet = int($octet); + } + + $address = join (".", @ip); + + return $address; +} # Returns True for all valid IP addresses sub check_ip_address($) { my $address = shift; diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index b389fac..eabd9a4 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -391,8 +391,9 @@ sub get_address # IPsec networks. } elsif ($key ~~ ["ipsec_net_src", "ipsec_net_tgt", "IpSec Network"]) { my $network_address = &get_ipsec_net_ip($value, 11); - if ($network_address) { - push(@ret, [$network_address, ""]); + my @nets = split(/|/, $network_address); + foreach my $net (@nets) { + push(@ret, [$net, ""]); }

# The firewall's own IP addresses. diff --git a/config/firewall/ipsec-block b/config/firewall/ipsec-block new file mode 100644 index 0000000..9fa8e1a --- /dev/null +++ b/config/firewall/ipsec-block @@ -0,0 +1,59 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2015 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +VPN_CONFIG="/var/ipfire/vpn/config" + +block_subnet() { + local subnet="${1}" + + # Don't block a wildcard subnet + if [ "${subnet}" = "0.0.0.0/0" ] || [ "${subnet}" = "0.0.0.0/0.0.0.0" ]; then + return 0 + fi + + iptables -A IPSECBLOCK -d "${subnet}" -j REJECT --reject-with icmp-net-unreachable +} + +block_ipsec() { + # Flush all exists rules + iptables -F IPSECBLOCK + + local id status name lefthost type ctype unknown1 unknown2 unknown3 + local leftsubnets unknown4 righthost rightsubnets rest + while IFS="," read -r id status name lefthost type ctype unkown1 unknown2 unknown3 \ + leftsubnets unknown4 righthost rightsubnets rest; do + # Check if the connection is enabled + [ "${status}" = "on" ] || continue + + # Check if this a net-to-net connection + [ "${type}" = "net" ] || continue + + # Split multiple subnets + rightsubnets="${rightsubnets//|/ }" + + local rightsubnet + for rightsubnet in ${rightsubnets}; do + block_subnet "${rightsubnet}" + done + done < "${VPN_CONFIG}" +} + +block_ipsec || exit $? diff --git a/config/kernel/kernel.config.armv5tel-ipfire-kirkwood b/config/kernel/kernel.config.armv5tel-ipfire-kirkwood index cf44486..325add2 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-kirkwood +++ b/config/kernel/kernel.config.armv5tel-ipfire-kirkwood @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 3.14.37 Kernel Configuration +# Linux/arm 3.14.53 Kernel Configuration # CONFIG_ARM=y CONFIG_SYS_SUPPORTS_APM_EMULATION=y @@ -924,7 +924,6 @@ CONFIG_IP_NF_SECURITY=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m -CONFIG_IP_NF_MATCH_IPP2P=m

# # IPv6: Netfilter Configuration diff --git a/config/kernel/kernel.config.armv5tel-ipfire-multi b/config/kernel/kernel.config.armv5tel-ipfire-multi index 25de266..9729903 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-multi +++ b/config/kernel/kernel.config.armv5tel-ipfire-multi @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 3.14.37 Kernel Configuration +# Linux/arm 3.14.53 Kernel Configuration # CONFIG_ARM=y CONFIG_MIGHT_HAVE_PCI=y @@ -1098,7 +1098,6 @@ CONFIG_IP_NF_SECURITY=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m -CONFIG_IP_NF_MATCH_IPP2P=m

# # IPv6: Netfilter Configuration diff --git a/config/kernel/kernel.config.armv5tel-ipfire-rpi b/config/kernel/kernel.config.armv5tel-ipfire-rpi index b25210a..6e584cb 100644 --- a/config/kernel/kernel.config.armv5tel-ipfire-rpi +++ b/config/kernel/kernel.config.armv5tel-ipfire-rpi @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm 3.14.37 Kernel Configuration +# Linux/arm 3.14.53 Kernel Configuration # CONFIG_ARM=y CONFIG_SYS_SUPPORTS_APM_EMULATION=y @@ -863,7 +863,6 @@ CONFIG_IP_NF_SECURITY=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m -CONFIG_IP_NF_MATCH_IPP2P=m

# # IPv6: Netfilter Configuration diff --git a/config/kernel/kernel.config.i586-ipfire b/config/kernel/kernel.config.i586-ipfire index f5ff73e..adac4fb 100644 --- a/config/kernel/kernel.config.i586-ipfire +++ b/config/kernel/kernel.config.i586-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.14.37 Kernel Configuration +# Linux/x86 3.14.53 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -514,6 +514,7 @@ CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set # CONFIG_CMDLINE_BOOL is not set +# CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y

# @@ -677,10 +678,10 @@ CONFIG_EISA_NAMES=y CONFIG_SCx200=m CONFIG_SCx200HR_TIMER=m # CONFIG_OLPC is not set -CONFIG_APULED=y CONFIG_ALIX=y CONFIG_NET5501=y CONFIG_GEOS=y +CONFIG_APULED=y CONFIG_AMD_NB=y CONFIG_PCCARD=m CONFIG_PCMCIA=m @@ -1068,7 +1069,6 @@ CONFIG_IP_NF_SECURITY=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m -CONFIG_IP_NF_MATCH_IPP2P=m

# # IPv6: Netfilter Configuration diff --git a/config/kernel/kernel.config.i586-ipfire-pae b/config/kernel/kernel.config.i586-ipfire-pae index 8e72201..c94a235 100644 --- a/config/kernel/kernel.config.i586-ipfire-pae +++ b/config/kernel/kernel.config.i586-ipfire-pae @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.14.37 Kernel Configuration +# Linux/x86 3.14.53 Kernel Configuration # # CONFIG_64BIT is not set CONFIG_X86_32=y @@ -527,6 +527,7 @@ CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set # CONFIG_CMDLINE_BOOL is not set +# CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y

# @@ -691,10 +692,10 @@ CONFIG_EISA_PCI_EISA=y CONFIG_EISA_VIRTUAL_ROOT=y CONFIG_EISA_NAMES=y # CONFIG_SCx200 is not set -CONFIG_APULED=y # CONFIG_ALIX is not set # CONFIG_NET5501 is not set # CONFIG_GEOS is not set +CONFIG_APULED=y CONFIG_AMD_NB=y CONFIG_PCCARD=m CONFIG_PCMCIA=m @@ -1082,7 +1083,6 @@ CONFIG_IP_NF_SECURITY=m CONFIG_IP_NF_ARPTABLES=m CONFIG_IP_NF_ARPFILTER=m CONFIG_IP_NF_ARP_MANGLE=m -CONFIG_IP_NF_MATCH_IPP2P=m

# # IPv6: Netfilter Configuration diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 902b9e1..cc36ada 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 3.14.43 Kernel Configuration +# Linux/x86 3.14.53 Kernel Configuration # CONFIG_64BIT=y CONFIG_X86_64=y @@ -177,9 +177,11 @@ CONFIG_RD_LZ4=y # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set CONFIG_SYSCTL=y CONFIG_ANON_INODES=y +CONFIG_HAVE_UID16=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_HAVE_PCSPKR_PLATFORM=y CONFIG_EXPERT=y +CONFIG_UID16=y # CONFIG_SYSCTL_SYSCALL is not set CONFIG_KALLSYMS=y CONFIG_KALLSYMS_ALL=y @@ -244,6 +246,8 @@ CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y CONFIG_HAVE_ALIGNED_STRUCT_PAGE=y CONFIG_HAVE_CMPXCHG_LOCAL=y CONFIG_HAVE_CMPXCHG_DOUBLE=y +CONFIG_ARCH_WANT_COMPAT_IPC_PARSE_VERSION=y +CONFIG_ARCH_WANT_OLD_COMPAT_IPC=y CONFIG_HAVE_ARCH_SECCOMP_FILTER=y CONFIG_SECCOMP_FILTER=y CONFIG_HAVE_CC_STACKPROTECTOR=y @@ -258,6 +262,8 @@ CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y CONFIG_HAVE_ARCH_SOFT_DIRTY=y CONFIG_MODULES_USE_ELF_RELA=y CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y +CONFIG_OLD_SIGSUSPEND3=y +CONFIG_COMPAT_OLD_SIGACTION=y

# # GCOV-based kernel profiling @@ -306,6 +312,7 @@ CONFIG_LDM_PARTITION=y CONFIG_EFI_PARTITION=y # CONFIG_SYSV68_PARTITION is not set # CONFIG_CMDLINE_PARTITION is not set +CONFIG_BLOCK_COMPAT=y

# # IO Schedulers @@ -335,6 +342,7 @@ CONFIG_FREEZER=y # CONFIG_ZONE_DMA=y CONFIG_SMP=y +# CONFIG_X86_X2APIC is not set CONFIG_X86_MPPARSE=y CONFIG_X86_EXTENDED_PLATFORM=y # CONFIG_X86_VSMP is not set @@ -352,7 +360,7 @@ CONFIG_XEN_PVHVM=y CONFIG_XEN_MAX_DOMAIN_MEMORY=500 CONFIG_XEN_SAVE_RESTORE=y CONFIG_XEN_DEBUG_FS=y -# CONFIG_XEN_PVH is not set +CONFIG_XEN_PVH=y CONFIG_KVM_GUEST=y # CONFIG_KVM_DEBUG_FS is not set CONFIG_PARAVIRT_TIME_ACCOUNTING=y @@ -371,7 +379,7 @@ CONFIG_X86_CMPXCHG64=y CONFIG_X86_CMOV=y CONFIG_X86_MINIMUM_CPU_FAMILY=64 CONFIG_X86_DEBUGCTLMSR=y -CONFIG_PROCESSOR_SELECT=y +# CONFIG_PROCESSOR_SELECT is not set CONFIG_CPU_SUP_INTEL=y CONFIG_CPU_SUP_AMD=y CONFIG_CPU_SUP_CENTAUR=y @@ -484,6 +492,7 @@ CONFIG_HOTPLUG_CPU=y # CONFIG_BOOTPARAM_HOTPLUG_CPU0 is not set # CONFIG_DEBUG_HOTPLUG_CPU0 is not set # CONFIG_CMDLINE_BOOL is not set +# CONFIG_DEFAULT_MODIFY_LDT_SYSCALL is not set CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y

# @@ -591,7 +600,7 @@ CONFIG_INTEL_IDLE=y # CONFIG_PCI=y CONFIG_PCI_DIRECT=y -# CONFIG_PCI_MMCONFIG is not set +CONFIG_PCI_MMCONFIG=y CONFIG_PCI_XEN=y CONFIG_PCI_DOMAINS=y # CONFIG_PCI_CNB20LE_QUIRK is not set @@ -614,8 +623,8 @@ CONFIG_XEN_PCIDEV_FRONTEND=m CONFIG_HT_IRQ=y CONFIG_PCI_ATS=y CONFIG_PCI_IOV=y -# CONFIG_PCI_PRI is not set -# CONFIG_PCI_PASID is not set +CONFIG_PCI_PRI=y +CONFIG_PCI_PASID=y CONFIG_PCI_IOAPIC=y CONFIG_PCI_LABEL=y

@@ -654,16 +663,24 @@ CONFIG_X86_SYSFB=y # Executable file formats / Emulations # CONFIG_BINFMT_ELF=y +CONFIG_COMPAT_BINFMT_ELF=y CONFIG_ARCH_BINFMT_ELF_RANDOMIZE_PIE=y CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y CONFIG_BINFMT_SCRIPT=y # CONFIG_HAVE_AOUT is not set CONFIG_BINFMT_MISC=y CONFIG_COREDUMP=y -# CONFIG_IA32_EMULATION is not set +CONFIG_IA32_EMULATION=y +CONFIG_IA32_AOUT=m +# CONFIG_X86_X32 is not set +CONFIG_COMPAT=y +CONFIG_COMPAT_FOR_U64_ALIGNMENT=y +CONFIG_SYSVIPC_COMPAT=y +CONFIG_KEYS_COMPAT=y CONFIG_X86_DEV_DMA_OPS=y CONFIG_IOSF_MBI=m CONFIG_NET=y +CONFIG_COMPAT_NETLINK_MESSAGES=y

# # Networking options @@ -1195,7 +1212,7 @@ CONFIG_CGROUP_NET_PRIO=m CONFIG_CGROUP_NET_CLASSID=y CONFIG_NET_RX_BUSY_POLL=y CONFIG_BQL=y -# CONFIG_BPF_JIT is not set +CONFIG_BPF_JIT=y CONFIG_NET_FLOW_LIMIT=y

# @@ -1348,7 +1365,7 @@ CONFIG_BLK_DEV_CRYPTOLOOP=m # CONFIG_BLK_DEV_DRBD is not set # CONFIG_BLK_DEV_NBD is not set CONFIG_BLK_DEV_NVME=m -# CONFIG_BLK_DEV_SKD is not set +CONFIG_BLK_DEV_SKD=m # CONFIG_BLK_DEV_OSD is not set CONFIG_BLK_DEV_SX8=m CONFIG_BLK_DEV_RAM=y @@ -1428,13 +1445,13 @@ CONFIG_VMWARE_VMCI=m # # Intel MIC Host Driver # -# CONFIG_INTEL_MIC_HOST is not set +CONFIG_INTEL_MIC_HOST=m

# # Intel MIC Card Driver # -# CONFIG_INTEL_MIC_CARD is not set -# CONFIG_GENWQE is not set +CONFIG_INTEL_MIC_CARD=m +CONFIG_GENWQE=m CONFIG_HAVE_IDE=y # CONFIG_IDE is not set

@@ -4540,7 +4557,8 @@ CONFIG_EDAC=y CONFIG_EDAC_DECODE_MCE=m CONFIG_EDAC_MCE_INJ=m CONFIG_EDAC_MM_EDAC=m -# CONFIG_EDAC_AMD64 is not set +CONFIG_EDAC_AMD64=m +# CONFIG_EDAC_AMD64_ERROR_INJECTION is not set CONFIG_EDAC_E752X=m CONFIG_EDAC_I82975X=m CONFIG_EDAC_I3000=m @@ -4551,6 +4569,7 @@ CONFIG_EDAC_I7CORE=m CONFIG_EDAC_I5000=m CONFIG_EDAC_I5100=m CONFIG_EDAC_I7300=m +CONFIG_EDAC_SBRIDGE=m CONFIG_RTC_LIB=y CONFIG_RTC_CLASS=y CONFIG_RTC_HCTOSYS=y @@ -4896,12 +4915,13 @@ CONFIG_CLKBLD_I8253=y CONFIG_MAILBOX=y CONFIG_IOMMU_API=y CONFIG_IOMMU_SUPPORT=y -# CONFIG_AMD_IOMMU is not set +CONFIG_AMD_IOMMU=y +# CONFIG_AMD_IOMMU_STATS is not set CONFIG_DMAR_TABLE=y CONFIG_INTEL_IOMMU=y # CONFIG_INTEL_IOMMU_DEFAULT_ON is not set CONFIG_INTEL_IOMMU_FLOPPY_WA=y -# CONFIG_IRQ_REMAP is not set +CONFIG_IRQ_REMAP=y

# # Remoteproc drivers @@ -5119,6 +5139,7 @@ CONFIG_QUOTA_TREE=y # CONFIG_QFMT_V1 is not set CONFIG_QFMT_V2=y CONFIG_QUOTACTL=y +CONFIG_QUOTACTL_COMPAT=y CONFIG_AUTOFS4_FS=y CONFIG_FUSE_FS=m CONFIG_CUSE=m @@ -5561,10 +5582,11 @@ CONFIG_PAX_USERCOPY=y # # CONFIG_GRKERNSEC_KMEM is not set # CONFIG_GRKERNSEC_IO is not set +CONFIG_GRKERNSEC_JIT_HARDEN=y # CONFIG_GRKERNSEC_PERF_HARDEN is not set CONFIG_GRKERNSEC_RAND_THREADSTACK=y CONFIG_GRKERNSEC_PROC_MEMMAP=y -# CONFIG_GRKERNSEC_KSTACKOVERFLOW is not set +CONFIG_GRKERNSEC_KSTACKOVERFLOW=y CONFIG_GRKERNSEC_BRUTE=y CONFIG_GRKERNSEC_MODHARDEN=y CONFIG_GRKERNSEC_HIDESYM=y @@ -5747,7 +5769,7 @@ CONFIG_CRYPTO_CRC32C_INTEL=y CONFIG_CRYPTO_CRC32=y CONFIG_CRYPTO_CRC32_PCLMUL=m CONFIG_CRYPTO_CRCT10DIF=y -# CONFIG_CRYPTO_CRCT10DIF_PCLMUL is not set +CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m CONFIG_CRYPTO_GHASH=m CONFIG_CRYPTO_MD4=m CONFIG_CRYPTO_MD5=y diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index b4cd8f8..a174c5b 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -62,7 +62,6 @@ etc/rc.d/init.d/mounttmpfs #etc/rc.d/init.d/netsnmpd etc/rc.d/init.d/network etc/rc.d/init.d/network-trigger -etc/rc.d/init.d/network-vlans #etc/rc.d/init.d/networking etc/rc.d/init.d/networking/any etc/rc.d/init.d/networking/blue @@ -232,7 +231,6 @@ etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall etc/rc.d/rcsysinit.d/S90network-trigger -etc/rc.d/rcsysinit.d/S91network-vlans etc/rc.d/rcsysinit.d/S92rngd etc/rc.d/rc3.d/S15fireinfo #etc/sysconfig diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index 878ba66..84c432a 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -64,7 +64,6 @@ etc/rc.d/init.d/mounttmpfs #etc/rc.d/init.d/netsnmpd etc/rc.d/init.d/network etc/rc.d/init.d/network-trigger -etc/rc.d/init.d/network-vlans #etc/rc.d/init.d/networking etc/rc.d/init.d/networking/any etc/rc.d/init.d/networking/blue @@ -237,7 +236,6 @@ etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall etc/rc.d/rcsysinit.d/S90network-trigger -etc/rc.d/rcsysinit.d/S91network-vlans etc/rc.d/rcsysinit.d/S92rngd etc/rc.d/rc3.d/S15fireinfo #etc/sysconfig diff --git a/config/rootfiles/common/ipset b/config/rootfiles/common/ipset new file mode 100644 index 0000000..50ebed5 --- /dev/null +++ b/config/rootfiles/common/ipset @@ -0,0 +1,26 @@ +etc/ipset +#usr/include/libipset +#usr/include/libipset/data.h +#usr/include/libipset/errcode.h +#usr/include/libipset/linux_ip_set.h +#usr/include/libipset/linux_ip_set_bitmap.h +#usr/include/libipset/linux_ip_set_hash.h +#usr/include/libipset/linux_ip_set_list.h +#usr/include/libipset/mnl.h +#usr/include/libipset/nf_inet_addr.h +#usr/include/libipset/nfproto.h +#usr/include/libipset/parse.h +#usr/include/libipset/pfxlen.h +#usr/include/libipset/print.h +#usr/include/libipset/session.h +#usr/include/libipset/transport.h +#usr/include/libipset/types.h +#usr/include/libipset/ui.h +#usr/include/libipset/utils.h +#usr/lib/libipset.la +#usr/lib/libipset.so +usr/lib/libipset.so.3 +usr/lib/libipset.so.3.6.0 +#usr/lib/pkgconfig/libipset.pc +usr/sbin/ipset +#usr/share/man/man8/ipset.8 diff --git a/config/rootfiles/common/lzo b/config/rootfiles/common/lzo index 6d746bd..4ebc05c 100644 --- a/config/rootfiles/common/lzo +++ b/config/rootfiles/common/lzo @@ -12,16 +12,15 @@ #usr/include/lzo/lzoconf.h #usr/include/lzo/lzodefs.h #usr/include/lzo/lzoutil.h -#usr/lib/liblzo2.a #usr/lib/liblzo2.la usr/lib/liblzo2.so usr/lib/liblzo2.so.2 usr/lib/liblzo2.so.2.0.0 -#usr/share/doc/lzo -#usr/share/doc/lzo/AUTHORS -#usr/share/doc/lzo/COPYING -#usr/share/doc/lzo/LZO.FAQ -#usr/share/doc/lzo/LZO.TXT -#usr/share/doc/lzo/LZOAPI.TXT -#usr/share/doc/lzo/NEWS -#usr/share/doc/lzo/THANKS +#usr/share/doc/lzo-2.09 +#usr/share/doc/lzo-2.09/AUTHORS +#usr/share/doc/lzo-2.09/COPYING +#usr/share/doc/lzo-2.09/LZO.FAQ +#usr/share/doc/lzo-2.09/LZO.TXT +#usr/share/doc/lzo-2.09/LZOAPI.TXT +#usr/share/doc/lzo-2.09/NEWS +#usr/share/doc/lzo-2.09/THANKS diff --git a/config/rootfiles/common/ntp b/config/rootfiles/common/ntp index aacdb25..4baa074 100644 --- a/config/rootfiles/common/ntp +++ b/config/rootfiles/common/ntp @@ -14,257 +14,259 @@ usr/bin/ntptime usr/bin/ntptrace usr/bin/sntp usr/bin/tickadj -#usr/include/event2 -#usr/share/doc/ntp4 -#usr/share/doc/ntp4/html -#usr/share/doc/ntp4/html/access.html -#usr/share/doc/ntp4/html/accopt.html -#usr/share/doc/ntp4/html/assoc.html -#usr/share/doc/ntp4/html/audio.html -#usr/share/doc/ntp4/html/authentic.html -#usr/share/doc/ntp4/html/authopt.html -#usr/share/doc/ntp4/html/autokey.html -#usr/share/doc/ntp4/html/bugs.html -#usr/share/doc/ntp4/html/build.html -#usr/share/doc/ntp4/html/clock.html -#usr/share/doc/ntp4/html/clockopt.html -#usr/share/doc/ntp4/html/cluster.html -#usr/share/doc/ntp4/html/comdex.html -#usr/share/doc/ntp4/html/config.html -#usr/share/doc/ntp4/html/confopt.html -#usr/share/doc/ntp4/html/copyright.html -#usr/share/doc/ntp4/html/debug.html -#usr/share/doc/ntp4/html/decode.html -#usr/share/doc/ntp4/html/discipline.html -#usr/share/doc/ntp4/html/discover.html -#usr/share/doc/ntp4/html/drivers -#usr/share/doc/ntp4/html/drivers/driver1.html -#usr/share/doc/ntp4/html/drivers/driver10.html -#usr/share/doc/ntp4/html/drivers/driver11.html -#usr/share/doc/ntp4/html/drivers/driver12.html -#usr/share/doc/ntp4/html/drivers/driver16.html -#usr/share/doc/ntp4/html/drivers/driver18.html -#usr/share/doc/ntp4/html/drivers/driver19.html -#usr/share/doc/ntp4/html/drivers/driver20.html -#usr/share/doc/ntp4/html/drivers/driver22.html -#usr/share/doc/ntp4/html/drivers/driver26.html -#usr/share/doc/ntp4/html/drivers/driver27.html -#usr/share/doc/ntp4/html/drivers/driver28.html -#usr/share/doc/ntp4/html/drivers/driver29.html -#usr/share/doc/ntp4/html/drivers/driver3.html -#usr/share/doc/ntp4/html/drivers/driver30.html -#usr/share/doc/ntp4/html/drivers/driver31.html -#usr/share/doc/ntp4/html/drivers/driver32.html -#usr/share/doc/ntp4/html/drivers/driver33.html -#usr/share/doc/ntp4/html/drivers/driver34.html -#usr/share/doc/ntp4/html/drivers/driver35.html -#usr/share/doc/ntp4/html/drivers/driver36.html -#usr/share/doc/ntp4/html/drivers/driver37.html -#usr/share/doc/ntp4/html/drivers/driver38.html -#usr/share/doc/ntp4/html/drivers/driver39.html -#usr/share/doc/ntp4/html/drivers/driver4.html -#usr/share/doc/ntp4/html/drivers/driver40.html -#usr/share/doc/ntp4/html/drivers/driver42.html -#usr/share/doc/ntp4/html/drivers/driver43.html -#usr/share/doc/ntp4/html/drivers/driver44.html -#usr/share/doc/ntp4/html/drivers/driver45.html -#usr/share/doc/ntp4/html/drivers/driver46.html -#usr/share/doc/ntp4/html/drivers/driver5.html -#usr/share/doc/ntp4/html/drivers/driver6.html -#usr/share/doc/ntp4/html/drivers/driver7.html -#usr/share/doc/ntp4/html/drivers/driver8.html -#usr/share/doc/ntp4/html/drivers/driver9.html -#usr/share/doc/ntp4/html/drivers/icons -#usr/share/doc/ntp4/html/drivers/icons/home.gif -#usr/share/doc/ntp4/html/drivers/icons/mail2.gif -#usr/share/doc/ntp4/html/drivers/mx4200data.html -#usr/share/doc/ntp4/html/drivers/oncore-shmem.html -#usr/share/doc/ntp4/html/drivers/scripts -#usr/share/doc/ntp4/html/drivers/scripts/footer.txt -#usr/share/doc/ntp4/html/drivers/scripts/style.css -#usr/share/doc/ntp4/html/drivers/tf582_4.html -#usr/share/doc/ntp4/html/extern.html -#usr/share/doc/ntp4/html/filter.html -#usr/share/doc/ntp4/html/hints -#usr/share/doc/ntp4/html/hints.html -#usr/share/doc/ntp4/html/hints/a-ux -#usr/share/doc/ntp4/html/hints/aix -#usr/share/doc/ntp4/html/hints/bsdi -#usr/share/doc/ntp4/html/hints/changes -#usr/share/doc/ntp4/html/hints/decosf1 -#usr/share/doc/ntp4/html/hints/decosf2 -#usr/share/doc/ntp4/html/hints/freebsd -#usr/share/doc/ntp4/html/hints/hpux -#usr/share/doc/ntp4/html/hints/linux -#usr/share/doc/ntp4/html/hints/mpeix -#usr/share/doc/ntp4/html/hints/notes-xntp-v3 -#usr/share/doc/ntp4/html/hints/parse -#usr/share/doc/ntp4/html/hints/refclocks -#usr/share/doc/ntp4/html/hints/rs6000 -#usr/share/doc/ntp4/html/hints/sco.html -#usr/share/doc/ntp4/html/hints/sgi -#usr/share/doc/ntp4/html/hints/solaris-dosynctodr.html -#usr/share/doc/ntp4/html/hints/solaris.html -#usr/share/doc/ntp4/html/hints/solaris.xtra.4023118 -#usr/share/doc/ntp4/html/hints/solaris.xtra.4095849 -#usr/share/doc/ntp4/html/hints/solaris.xtra.S99ntpd -#usr/share/doc/ntp4/html/hints/solaris.xtra.patchfreq -#usr/share/doc/ntp4/html/hints/sun4 -#usr/share/doc/ntp4/html/hints/svr4-dell -#usr/share/doc/ntp4/html/hints/svr4_package -#usr/share/doc/ntp4/html/hints/todo -#usr/share/doc/ntp4/html/hints/vxworks.html -#usr/share/doc/ntp4/html/hints/winnt.html -#usr/share/doc/ntp4/html/history.html -#usr/share/doc/ntp4/html/howto.html -#usr/share/doc/ntp4/html/huffpuff.html -#usr/share/doc/ntp4/html/icons -#usr/share/doc/ntp4/html/icons/home.gif -#usr/share/doc/ntp4/html/icons/mail2.gif -#usr/share/doc/ntp4/html/icons/sitemap.png -#usr/share/doc/ntp4/html/index.html -#usr/share/doc/ntp4/html/kern.html -#usr/share/doc/ntp4/html/kernpps.html -#usr/share/doc/ntp4/html/keygen.html -#usr/share/doc/ntp4/html/leap.html -#usr/share/doc/ntp4/html/miscopt.html -#usr/share/doc/ntp4/html/monopt.html -#usr/share/doc/ntp4/html/msyslog.html -#usr/share/doc/ntp4/html/ntp-wait.html -#usr/share/doc/ntp4/html/ntp_conf.html -#usr/share/doc/ntp4/html/ntpd.html -#usr/share/doc/ntp4/html/ntpdate.html -#usr/share/doc/ntp4/html/ntpdc.html -#usr/share/doc/ntp4/html/ntpdsim.html -#usr/share/doc/ntp4/html/ntpdsim_new.html -#usr/share/doc/ntp4/html/ntpq.html -#usr/share/doc/ntp4/html/ntptime.html -#usr/share/doc/ntp4/html/ntptrace.html -#usr/share/doc/ntp4/html/orphan.html -#usr/share/doc/ntp4/html/parsedata.html -#usr/share/doc/ntp4/html/parsenew.html -#usr/share/doc/ntp4/html/pic -#usr/share/doc/ntp4/html/pic/9400n.jpg -#usr/share/doc/ntp4/html/pic/alice11.gif -#usr/share/doc/ntp4/html/pic/alice13.gif -#usr/share/doc/ntp4/html/pic/alice15.gif -#usr/share/doc/ntp4/html/pic/alice23.gif -#usr/share/doc/ntp4/html/pic/alice31.gif -#usr/share/doc/ntp4/html/pic/alice32.gif -#usr/share/doc/ntp4/html/pic/alice35.gif -#usr/share/doc/ntp4/html/pic/alice38.gif -#usr/share/doc/ntp4/html/pic/alice44.gif -#usr/share/doc/ntp4/html/pic/alice47.gif -#usr/share/doc/ntp4/html/pic/alice51.gif -#usr/share/doc/ntp4/html/pic/alice61.gif -#usr/share/doc/ntp4/html/pic/barnstable.gif -#usr/share/doc/ntp4/html/pic/beaver.gif -#usr/share/doc/ntp4/html/pic/boom3.gif -#usr/share/doc/ntp4/html/pic/boom3a.gif -#usr/share/doc/ntp4/html/pic/boom4.gif -#usr/share/doc/ntp4/html/pic/broad.gif -#usr/share/doc/ntp4/html/pic/bustardfly.gif -#usr/share/doc/ntp4/html/pic/c51.jpg -#usr/share/doc/ntp4/html/pic/description.jpg -#usr/share/doc/ntp4/html/pic/discipline.gif -#usr/share/doc/ntp4/html/pic/dogsnake.gif -#usr/share/doc/ntp4/html/pic/driver29.gif -#usr/share/doc/ntp4/html/pic/driver43_1.gif -#usr/share/doc/ntp4/html/pic/driver43_2.jpg -#usr/share/doc/ntp4/html/pic/fg6021.gif -#usr/share/doc/ntp4/html/pic/fg6039.jpg -#usr/share/doc/ntp4/html/pic/fig_3_1.gif -#usr/share/doc/ntp4/html/pic/flatheads.gif -#usr/share/doc/ntp4/html/pic/flt1.gif -#usr/share/doc/ntp4/html/pic/flt2.gif -#usr/share/doc/ntp4/html/pic/flt3.gif -#usr/share/doc/ntp4/html/pic/flt4.gif -#usr/share/doc/ntp4/html/pic/flt5.gif -#usr/share/doc/ntp4/html/pic/flt6.gif -#usr/share/doc/ntp4/html/pic/flt7.gif -#usr/share/doc/ntp4/html/pic/flt8.gif -#usr/share/doc/ntp4/html/pic/flt9.gif -#usr/share/doc/ntp4/html/pic/freq1211.gif -#usr/share/doc/ntp4/html/pic/gadget.jpg -#usr/share/doc/ntp4/html/pic/gps167.jpg -#usr/share/doc/ntp4/html/pic/group.gif -#usr/share/doc/ntp4/html/pic/hornraba.gif -#usr/share/doc/ntp4/html/pic/igclock.gif -#usr/share/doc/ntp4/html/pic/neoclock4x.gif -#usr/share/doc/ntp4/html/pic/offset1211.gif -#usr/share/doc/ntp4/html/pic/oncore_evalbig.gif -#usr/share/doc/ntp4/html/pic/oncore_remoteant.jpg -#usr/share/doc/ntp4/html/pic/oncore_utplusbig.gif -#usr/share/doc/ntp4/html/pic/oz2.gif -#usr/share/doc/ntp4/html/pic/panda.gif -#usr/share/doc/ntp4/html/pic/pd_om006.gif -#usr/share/doc/ntp4/html/pic/pd_om011.gif -#usr/share/doc/ntp4/html/pic/peer.gif -#usr/share/doc/ntp4/html/pic/pogo.gif -#usr/share/doc/ntp4/html/pic/pogo1a.gif -#usr/share/doc/ntp4/html/pic/pogo3a.gif -#usr/share/doc/ntp4/html/pic/pogo4.gif -#usr/share/doc/ntp4/html/pic/pogo5.gif -#usr/share/doc/ntp4/html/pic/pogo6.gif -#usr/share/doc/ntp4/html/pic/pogo7.gif -#usr/share/doc/ntp4/html/pic/pogo8.gif -#usr/share/doc/ntp4/html/pic/pzf509.jpg -#usr/share/doc/ntp4/html/pic/pzf511.jpg -#usr/share/doc/ntp4/html/pic/rabbit.gif -#usr/share/doc/ntp4/html/pic/radio2.jpg -#usr/share/doc/ntp4/html/pic/sheepb.jpg -#usr/share/doc/ntp4/html/pic/stack1a.jpg -#usr/share/doc/ntp4/html/pic/stats.gif -#usr/share/doc/ntp4/html/pic/sx5.gif -#usr/share/doc/ntp4/html/pic/thunderbolt.jpg -#usr/share/doc/ntp4/html/pic/time1.gif -#usr/share/doc/ntp4/html/pic/tonea.gif -#usr/share/doc/ntp4/html/pic/tribeb.gif -#usr/share/doc/ntp4/html/pic/wingdorothy.gif -#usr/share/doc/ntp4/html/poll.html -#usr/share/doc/ntp4/html/pps.html -#usr/share/doc/ntp4/html/prefer.html -#usr/share/doc/ntp4/html/quick.html -#usr/share/doc/ntp4/html/rate.html -#usr/share/doc/ntp4/html/rdebug.html -#usr/share/doc/ntp4/html/refclock.html -#usr/share/doc/ntp4/html/release.html -#usr/share/doc/ntp4/html/scripts -#usr/share/doc/ntp4/html/scripts/accopt.txt -#usr/share/doc/ntp4/html/scripts/audio.txt -#usr/share/doc/ntp4/html/scripts/authopt.txt -#usr/share/doc/ntp4/html/scripts/clockopt.txt -#usr/share/doc/ntp4/html/scripts/command.txt -#usr/share/doc/ntp4/html/scripts/config.txt -#usr/share/doc/ntp4/html/scripts/confopt.txt -#usr/share/doc/ntp4/html/scripts/external.txt -#usr/share/doc/ntp4/html/scripts/footer.txt -#usr/share/doc/ntp4/html/scripts/hand.txt -#usr/share/doc/ntp4/html/scripts/install.txt -#usr/share/doc/ntp4/html/scripts/manual.txt -#usr/share/doc/ntp4/html/scripts/misc.txt -#usr/share/doc/ntp4/html/scripts/miscopt.txt -#usr/share/doc/ntp4/html/scripts/monopt.txt -#usr/share/doc/ntp4/html/scripts/refclock.txt -#usr/share/doc/ntp4/html/scripts/special.txt -#usr/share/doc/ntp4/html/scripts/style.css -#usr/share/doc/ntp4/html/select.html -#usr/share/doc/ntp4/html/sitemap.html -#usr/share/doc/ntp4/html/sntp.html -#usr/share/doc/ntp4/html/stats.html -#usr/share/doc/ntp4/html/tickadj.html -#usr/share/doc/ntp4/html/warp.html -#usr/share/doc/ntp4/html/xleave.html -#usr/share/doc/ntp4/ntp-keygen.html -#usr/share/doc/ntp4/ntp-wait.html -#usr/share/doc/ntp4/ntp.conf.html -#usr/share/doc/ntp4/ntp.keys.html -#usr/share/doc/ntp4/ntpd.html -#usr/share/doc/ntp4/ntpdc.html -#usr/share/doc/ntp4/ntpq.html -#usr/share/doc/ntp4/ntpsnmpd.html -#usr/share/doc/ntp4/ntpsweep.html -#usr/share/doc/ntp4/ntptrace.html +usr/bin/update-leap +#usr/share/doc/ntp +#usr/share/doc/ntp/html +#usr/share/doc/ntp/html/access.html +#usr/share/doc/ntp/html/accopt.html +#usr/share/doc/ntp/html/assoc.html +#usr/share/doc/ntp/html/audio.html +#usr/share/doc/ntp/html/authentic.html +#usr/share/doc/ntp/html/authopt.html +#usr/share/doc/ntp/html/autokey.html +#usr/share/doc/ntp/html/bugs.html +#usr/share/doc/ntp/html/build.html +#usr/share/doc/ntp/html/clock.html +#usr/share/doc/ntp/html/clockopt.html +#usr/share/doc/ntp/html/cluster.html +#usr/share/doc/ntp/html/comdex.html +#usr/share/doc/ntp/html/config.html +#usr/share/doc/ntp/html/confopt.html +#usr/share/doc/ntp/html/copyright.html +#usr/share/doc/ntp/html/debug.html +#usr/share/doc/ntp/html/decode.html +#usr/share/doc/ntp/html/discipline.html +#usr/share/doc/ntp/html/discover.html +#usr/share/doc/ntp/html/drivers +#usr/share/doc/ntp/html/drivers/driver1.html +#usr/share/doc/ntp/html/drivers/driver10.html +#usr/share/doc/ntp/html/drivers/driver11.html +#usr/share/doc/ntp/html/drivers/driver12.html +#usr/share/doc/ntp/html/drivers/driver16.html +#usr/share/doc/ntp/html/drivers/driver18.html +#usr/share/doc/ntp/html/drivers/driver19.html +#usr/share/doc/ntp/html/drivers/driver20.html +#usr/share/doc/ntp/html/drivers/driver22.html +#usr/share/doc/ntp/html/drivers/driver26.html +#usr/share/doc/ntp/html/drivers/driver27.html +#usr/share/doc/ntp/html/drivers/driver28.html +#usr/share/doc/ntp/html/drivers/driver29.html +#usr/share/doc/ntp/html/drivers/driver3.html +#usr/share/doc/ntp/html/drivers/driver30.html +#usr/share/doc/ntp/html/drivers/driver31.html +#usr/share/doc/ntp/html/drivers/driver32.html +#usr/share/doc/ntp/html/drivers/driver33.html +#usr/share/doc/ntp/html/drivers/driver34.html +#usr/share/doc/ntp/html/drivers/driver35.html +#usr/share/doc/ntp/html/drivers/driver36.html +#usr/share/doc/ntp/html/drivers/driver37.html +#usr/share/doc/ntp/html/drivers/driver38.html +#usr/share/doc/ntp/html/drivers/driver39.html +#usr/share/doc/ntp/html/drivers/driver4.html +#usr/share/doc/ntp/html/drivers/driver40-ja.html +#usr/share/doc/ntp/html/drivers/driver40.html +#usr/share/doc/ntp/html/drivers/driver42.html +#usr/share/doc/ntp/html/drivers/driver43.html +#usr/share/doc/ntp/html/drivers/driver44.html +#usr/share/doc/ntp/html/drivers/driver45.html +#usr/share/doc/ntp/html/drivers/driver46.html +#usr/share/doc/ntp/html/drivers/driver5.html +#usr/share/doc/ntp/html/drivers/driver6.html +#usr/share/doc/ntp/html/drivers/driver7.html +#usr/share/doc/ntp/html/drivers/driver8.html +#usr/share/doc/ntp/html/drivers/driver9.html +#usr/share/doc/ntp/html/drivers/icons +#usr/share/doc/ntp/html/drivers/icons/home.gif +#usr/share/doc/ntp/html/drivers/icons/mail2.gif +#usr/share/doc/ntp/html/drivers/mx4200data.html +#usr/share/doc/ntp/html/drivers/oncore-shmem.html +#usr/share/doc/ntp/html/drivers/scripts +#usr/share/doc/ntp/html/drivers/scripts/footer.txt +#usr/share/doc/ntp/html/drivers/scripts/style.css +#usr/share/doc/ntp/html/drivers/tf582_4.html +#usr/share/doc/ntp/html/extern.html +#usr/share/doc/ntp/html/filter.html +#usr/share/doc/ntp/html/hints +#usr/share/doc/ntp/html/hints.html +#usr/share/doc/ntp/html/hints/a-ux +#usr/share/doc/ntp/html/hints/aix +#usr/share/doc/ntp/html/hints/bsdi +#usr/share/doc/ntp/html/hints/changes +#usr/share/doc/ntp/html/hints/decosf1 +#usr/share/doc/ntp/html/hints/decosf2 +#usr/share/doc/ntp/html/hints/freebsd +#usr/share/doc/ntp/html/hints/hpux +#usr/share/doc/ntp/html/hints/linux +#usr/share/doc/ntp/html/hints/mpeix +#usr/share/doc/ntp/html/hints/notes-xntp-v3 +#usr/share/doc/ntp/html/hints/parse +#usr/share/doc/ntp/html/hints/refclocks +#usr/share/doc/ntp/html/hints/rs6000 +#usr/share/doc/ntp/html/hints/sco.html +#usr/share/doc/ntp/html/hints/sgi +#usr/share/doc/ntp/html/hints/solaris-dosynctodr.html +#usr/share/doc/ntp/html/hints/solaris.html +#usr/share/doc/ntp/html/hints/solaris.xtra.4023118 +#usr/share/doc/ntp/html/hints/solaris.xtra.4095849 +#usr/share/doc/ntp/html/hints/solaris.xtra.S99ntpd +#usr/share/doc/ntp/html/hints/solaris.xtra.patchfreq +#usr/share/doc/ntp/html/hints/sun4 +#usr/share/doc/ntp/html/hints/svr4-dell +#usr/share/doc/ntp/html/hints/svr4_package +#usr/share/doc/ntp/html/hints/todo +#usr/share/doc/ntp/html/hints/vxworks.html +#usr/share/doc/ntp/html/hints/winnt.html +#usr/share/doc/ntp/html/history.html +#usr/share/doc/ntp/html/howto.html +#usr/share/doc/ntp/html/huffpuff.html +#usr/share/doc/ntp/html/icons +#usr/share/doc/ntp/html/icons/home.gif +#usr/share/doc/ntp/html/icons/mail2.gif +#usr/share/doc/ntp/html/icons/sitemap.png +#usr/share/doc/ntp/html/index.html +#usr/share/doc/ntp/html/kern.html +#usr/share/doc/ntp/html/kernpps.html +#usr/share/doc/ntp/html/keygen.html +#usr/share/doc/ntp/html/leap.html +#usr/share/doc/ntp/html/miscopt.html +#usr/share/doc/ntp/html/monopt.html +#usr/share/doc/ntp/html/msyslog.html +#usr/share/doc/ntp/html/ntp-wait.html +#usr/share/doc/ntp/html/ntp_conf.html +#usr/share/doc/ntp/html/ntpd.html +#usr/share/doc/ntp/html/ntpdate.html +#usr/share/doc/ntp/html/ntpdc.html +#usr/share/doc/ntp/html/ntpdsim.html +#usr/share/doc/ntp/html/ntpdsim_new.html +#usr/share/doc/ntp/html/ntpq.html +#usr/share/doc/ntp/html/ntptime.html +#usr/share/doc/ntp/html/ntptrace.html +#usr/share/doc/ntp/html/orphan.html +#usr/share/doc/ntp/html/parsedata.html +#usr/share/doc/ntp/html/parsenew.html +#usr/share/doc/ntp/html/pic +#usr/share/doc/ntp/html/pic/9400n.jpg +#usr/share/doc/ntp/html/pic/alice11.gif +#usr/share/doc/ntp/html/pic/alice13.gif +#usr/share/doc/ntp/html/pic/alice15.gif +#usr/share/doc/ntp/html/pic/alice23.gif +#usr/share/doc/ntp/html/pic/alice31.gif +#usr/share/doc/ntp/html/pic/alice32.gif +#usr/share/doc/ntp/html/pic/alice35.gif +#usr/share/doc/ntp/html/pic/alice38.gif +#usr/share/doc/ntp/html/pic/alice44.gif +#usr/share/doc/ntp/html/pic/alice47.gif +#usr/share/doc/ntp/html/pic/alice51.gif +#usr/share/doc/ntp/html/pic/alice61.gif +#usr/share/doc/ntp/html/pic/barnstable.gif +#usr/share/doc/ntp/html/pic/beaver.gif +#usr/share/doc/ntp/html/pic/boom3.gif +#usr/share/doc/ntp/html/pic/boom3a.gif +#usr/share/doc/ntp/html/pic/boom4.gif +#usr/share/doc/ntp/html/pic/broad.gif +#usr/share/doc/ntp/html/pic/bustardfly.gif +#usr/share/doc/ntp/html/pic/c51.jpg +#usr/share/doc/ntp/html/pic/description.jpg +#usr/share/doc/ntp/html/pic/discipline.gif +#usr/share/doc/ntp/html/pic/dogsnake.gif +#usr/share/doc/ntp/html/pic/driver29.gif +#usr/share/doc/ntp/html/pic/driver43_1.gif +#usr/share/doc/ntp/html/pic/driver43_2.jpg +#usr/share/doc/ntp/html/pic/fg6021.gif +#usr/share/doc/ntp/html/pic/fg6039.jpg +#usr/share/doc/ntp/html/pic/fig_3_1.gif +#usr/share/doc/ntp/html/pic/flatheads.gif +#usr/share/doc/ntp/html/pic/flt1.gif +#usr/share/doc/ntp/html/pic/flt2.gif +#usr/share/doc/ntp/html/pic/flt3.gif +#usr/share/doc/ntp/html/pic/flt4.gif +#usr/share/doc/ntp/html/pic/flt5.gif +#usr/share/doc/ntp/html/pic/flt6.gif +#usr/share/doc/ntp/html/pic/flt7.gif +#usr/share/doc/ntp/html/pic/flt8.gif +#usr/share/doc/ntp/html/pic/flt9.gif +#usr/share/doc/ntp/html/pic/freq1211.gif +#usr/share/doc/ntp/html/pic/gadget.jpg +#usr/share/doc/ntp/html/pic/gps167.jpg +#usr/share/doc/ntp/html/pic/group.gif +#usr/share/doc/ntp/html/pic/hornraba.gif +#usr/share/doc/ntp/html/pic/igclock.gif +#usr/share/doc/ntp/html/pic/neoclock4x.gif +#usr/share/doc/ntp/html/pic/offset1211.gif +#usr/share/doc/ntp/html/pic/oncore_evalbig.gif +#usr/share/doc/ntp/html/pic/oncore_remoteant.jpg +#usr/share/doc/ntp/html/pic/oncore_utplusbig.gif +#usr/share/doc/ntp/html/pic/oz2.gif +#usr/share/doc/ntp/html/pic/panda.gif +#usr/share/doc/ntp/html/pic/pd_om006.gif +#usr/share/doc/ntp/html/pic/pd_om011.gif +#usr/share/doc/ntp/html/pic/peer.gif +#usr/share/doc/ntp/html/pic/pogo.gif +#usr/share/doc/ntp/html/pic/pogo1a.gif +#usr/share/doc/ntp/html/pic/pogo3a.gif +#usr/share/doc/ntp/html/pic/pogo4.gif +#usr/share/doc/ntp/html/pic/pogo5.gif +#usr/share/doc/ntp/html/pic/pogo6.gif +#usr/share/doc/ntp/html/pic/pogo7.gif +#usr/share/doc/ntp/html/pic/pogo8.gif +#usr/share/doc/ntp/html/pic/pzf509.jpg +#usr/share/doc/ntp/html/pic/pzf511.jpg +#usr/share/doc/ntp/html/pic/rabbit.gif +#usr/share/doc/ntp/html/pic/radio2.jpg +#usr/share/doc/ntp/html/pic/sheepb.jpg +#usr/share/doc/ntp/html/pic/stack1a.jpg +#usr/share/doc/ntp/html/pic/stats.gif +#usr/share/doc/ntp/html/pic/sx5.gif +#usr/share/doc/ntp/html/pic/thunderbolt.jpg +#usr/share/doc/ntp/html/pic/time1.gif +#usr/share/doc/ntp/html/pic/tonea.gif +#usr/share/doc/ntp/html/pic/tribeb.gif +#usr/share/doc/ntp/html/pic/wingdorothy.gif +#usr/share/doc/ntp/html/poll.html +#usr/share/doc/ntp/html/pps.html +#usr/share/doc/ntp/html/prefer.html +#usr/share/doc/ntp/html/quick.html +#usr/share/doc/ntp/html/rate.html +#usr/share/doc/ntp/html/rdebug.html +#usr/share/doc/ntp/html/refclock.html +#usr/share/doc/ntp/html/release.html +#usr/share/doc/ntp/html/scripts +#usr/share/doc/ntp/html/scripts/accopt.txt +#usr/share/doc/ntp/html/scripts/audio.txt +#usr/share/doc/ntp/html/scripts/authopt.txt +#usr/share/doc/ntp/html/scripts/clockopt.txt +#usr/share/doc/ntp/html/scripts/command.txt +#usr/share/doc/ntp/html/scripts/config.txt +#usr/share/doc/ntp/html/scripts/confopt.txt +#usr/share/doc/ntp/html/scripts/external.txt +#usr/share/doc/ntp/html/scripts/footer.txt +#usr/share/doc/ntp/html/scripts/hand.txt +#usr/share/doc/ntp/html/scripts/install.txt +#usr/share/doc/ntp/html/scripts/manual.txt +#usr/share/doc/ntp/html/scripts/misc.txt +#usr/share/doc/ntp/html/scripts/miscopt.txt +#usr/share/doc/ntp/html/scripts/monopt.txt +#usr/share/doc/ntp/html/scripts/refclock.txt +#usr/share/doc/ntp/html/scripts/special.txt +#usr/share/doc/ntp/html/scripts/style.css +#usr/share/doc/ntp/html/select.html +#usr/share/doc/ntp/html/sitemap.html +#usr/share/doc/ntp/html/sntp.html +#usr/share/doc/ntp/html/stats.html +#usr/share/doc/ntp/html/tickadj.html +#usr/share/doc/ntp/html/warp.html +#usr/share/doc/ntp/html/xleave.html +#usr/share/doc/ntp/ntp-keygen.html +#usr/share/doc/ntp/ntp-wait.html +#usr/share/doc/ntp/ntp.conf.html +#usr/share/doc/ntp/ntp.keys.html +#usr/share/doc/ntp/ntpd.html +#usr/share/doc/ntp/ntpdc.html +#usr/share/doc/ntp/ntpq.html +#usr/share/doc/ntp/ntpsnmpd.html +#usr/share/doc/ntp/ntpsweep.html +#usr/share/doc/ntp/ntptrace.html +#usr/share/doc/ntp/update-leap.html #usr/share/doc/sntp #usr/share/doc/sntp/sntp.html #usr/share/man/man1/calc_tickadj.1 @@ -275,6 +277,7 @@ usr/bin/tickadj #usr/share/man/man1/ntpq.1 #usr/share/man/man1/ntptrace.1 #usr/share/man/man1/sntp.1 +#usr/share/man/man1/update-leap.1 #usr/share/man/man5/ntp.conf.5 #usr/share/man/man5/ntp.keys.5 #usr/share/ntp diff --git a/config/rootfiles/common/procps b/config/rootfiles/common/procps index d5e5ad3..2863167 100644 --- a/config/rootfiles/common/procps +++ b/config/rootfiles/common/procps @@ -3,7 +3,7 @@ bin/ps lib/libproc-3.2.6.so sbin/sysctl usr/bin/free -#usr/bin/pgrep +usr/bin/pgrep #usr/bin/pkill #usr/bin/pmap #usr/bin/pwdx diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2 index 90e28d9..4021caf 100644 --- a/config/rootfiles/common/stage2 +++ b/config/rootfiles/common/stage2 @@ -73,6 +73,7 @@ run #usr/lib usr/lib/firewall usr/lib/firewall/firewall-lib.pl +usr/lib/firewall/ipsec-block usr/lib/firewall/rules.pl #usr/lib/libgcc_s.so usr/lib/libgcc_s.so.1 diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index 7564d38..f51cc3a 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -153,6 +153,7 @@ usr/libexec/ipsec/starter usr/libexec/ipsec/stroke usr/sbin/ipsec #usr/share/man/man1/pki---acert.1 +#usr/share/man/man1/pki---dn.1 #usr/share/man/man1/pki---gen.1 #usr/share/man/man1/pki---issue.1 #usr/share/man/man1/pki---keyid.1 diff --git a/config/rootfiles/common/udev b/config/rootfiles/common/udev index d01c461..4d51954 100644 --- a/config/rootfiles/common/udev +++ b/config/rootfiles/common/udev @@ -29,6 +29,7 @@ lib/udev #lib/udev/init-net-rules.sh #lib/udev/mtd_probe #lib/udev/network-hotplug-rename +#lib/udev/network-hotplug-vlan #lib/udev/rule_generator.functions #lib/udev/rules.d #lib/udev/rules.d/25-alsa.rules diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index 878ba66..84c432a 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -64,7 +64,6 @@ etc/rc.d/init.d/mounttmpfs #etc/rc.d/init.d/netsnmpd etc/rc.d/init.d/network etc/rc.d/init.d/network-trigger -etc/rc.d/init.d/network-vlans #etc/rc.d/init.d/networking etc/rc.d/init.d/networking/any etc/rc.d/init.d/networking/blue @@ -237,7 +236,6 @@ etc/rc.d/rcsysinit.d/S75firstsetup etc/rc.d/rcsysinit.d/S80localnet etc/rc.d/rcsysinit.d/S85firewall etc/rc.d/rcsysinit.d/S90network-trigger -etc/rc.d/rcsysinit.d/S91network-vlans etc/rc.d/rcsysinit.d/S92rngd etc/rc.d/rc3.d/S15fireinfo #etc/sysconfig diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index 4f1ac7a..2cae007 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -18,6 +18,7 @@ lib/modules/KVER-ipfire #lib/modules/KVER-ipfire/kernel/arch/x86/crypto/cast5-avx-x86_64.ko #lib/modules/KVER-ipfire/kernel/arch/x86/crypto/cast6-avx-x86_64.ko #lib/modules/KVER-ipfire/kernel/arch/x86/crypto/crc32-pclmul.ko +#lib/modules/KVER-ipfire/kernel/arch/x86/crypto/crct10dif-pclmul.ko #lib/modules/KVER-ipfire/kernel/arch/x86/crypto/ghash-clmulni-intel.ko #lib/modules/KVER-ipfire/kernel/arch/x86/crypto/salsa20-x86_64.ko #lib/modules/KVER-ipfire/kernel/arch/x86/crypto/serpent-avx-x86_64.ko @@ -29,6 +30,8 @@ lib/modules/KVER-ipfire #lib/modules/KVER-ipfire/kernel/arch/x86/crypto/twofish-avx-x86_64.ko #lib/modules/KVER-ipfire/kernel/arch/x86/crypto/twofish-x86_64-3way.ko #lib/modules/KVER-ipfire/kernel/arch/x86/crypto/twofish-x86_64.ko +#lib/modules/KVER-ipfire/kernel/arch/x86/ia32 +#lib/modules/KVER-ipfire/kernel/arch/x86/ia32/ia32_aout.ko #lib/modules/KVER-ipfire/kernel/arch/x86/kernel #lib/modules/KVER-ipfire/kernel/arch/x86/kernel/cpu #lib/modules/KVER-ipfire/kernel/arch/x86/kernel/cpu/microcode @@ -207,6 +210,7 @@ lib/modules/KVER-ipfire #lib/modules/KVER-ipfire/kernel/drivers/block/nvme.ko #lib/modules/KVER-ipfire/kernel/drivers/block/rsxx #lib/modules/KVER-ipfire/kernel/drivers/block/rsxx/rsxx.ko +#lib/modules/KVER-ipfire/kernel/drivers/block/skd.ko #lib/modules/KVER-ipfire/kernel/drivers/block/sx8.ko #lib/modules/KVER-ipfire/kernel/drivers/block/umem.ko #lib/modules/KVER-ipfire/kernel/drivers/block/virtio_blk.ko @@ -279,6 +283,7 @@ lib/modules/KVER-ipfire #lib/modules/KVER-ipfire/kernel/drivers/dma/pch_dma.ko #lib/modules/KVER-ipfire/kernel/drivers/dma/timb_dma.ko #lib/modules/KVER-ipfire/kernel/drivers/edac +#lib/modules/KVER-ipfire/kernel/drivers/edac/amd64_edac_mod.ko #lib/modules/KVER-ipfire/kernel/drivers/edac/e752x_edac.ko #lib/modules/KVER-ipfire/kernel/drivers/edac/edac_core.ko #lib/modules/KVER-ipfire/kernel/drivers/edac/edac_mce_amd.ko @@ -291,6 +296,7 @@ lib/modules/KVER-ipfire #lib/modules/KVER-ipfire/kernel/drivers/edac/i7core_edac.ko #lib/modules/KVER-ipfire/kernel/drivers/edac/i82975x_edac.ko #lib/modules/KVER-ipfire/kernel/drivers/edac/mce_amd_inj.ko +#lib/modules/KVER-ipfire/kernel/drivers/edac/sb_edac.ko #lib/modules/KVER-ipfire/kernel/drivers/edac/x38_edac.ko #lib/modules/KVER-ipfire/kernel/drivers/firewire #lib/modules/KVER-ipfire/kernel/drivers/firewire/firewire-core.ko @@ -1342,12 +1348,19 @@ lib/modules/KVER-ipfire #lib/modules/KVER-ipfire/kernel/drivers/misc/eeprom/max6875.ko #lib/modules/KVER-ipfire/kernel/drivers/misc/enclosure.ko #lib/modules/KVER-ipfire/kernel/drivers/misc/fsa9480.ko +#lib/modules/KVER-ipfire/kernel/drivers/misc/genwqe +#lib/modules/KVER-ipfire/kernel/drivers/misc/genwqe/genwqe_card.ko #lib/modules/KVER-ipfire/kernel/drivers/misc/hpilo.ko #lib/modules/KVER-ipfire/kernel/drivers/misc/ibmasm #lib/modules/KVER-ipfire/kernel/drivers/misc/ibmasm/ibmasm.ko #lib/modules/KVER-ipfire/kernel/drivers/misc/ics932s401.ko #lib/modules/KVER-ipfire/kernel/drivers/misc/lis3lv02d #lib/modules/KVER-ipfire/kernel/drivers/misc/lis3lv02d/lis3lv02d.ko +#lib/modules/KVER-ipfire/kernel/drivers/misc/mic +#lib/modules/KVER-ipfire/kernel/drivers/misc/mic/card +#lib/modules/KVER-ipfire/kernel/drivers/misc/mic/card/mic_card.ko +#lib/modules/KVER-ipfire/kernel/drivers/misc/mic/host +#lib/modules/KVER-ipfire/kernel/drivers/misc/mic/host/mic_host.ko #lib/modules/KVER-ipfire/kernel/drivers/misc/pch_phub.ko #lib/modules/KVER-ipfire/kernel/drivers/misc/ti-st #lib/modules/KVER-ipfire/kernel/drivers/misc/ti-st/st_drv.ko diff --git a/config/rootfiles/common/x86_64/stage2 b/config/rootfiles/common/x86_64/stage2 index 0ac9ab5..531daaa 100644 --- a/config/rootfiles/common/x86_64/stage2 +++ b/config/rootfiles/common/x86_64/stage2 @@ -74,6 +74,7 @@ run #usr/lib usr/lib/firewall usr/lib/firewall/firewall-lib.pl +usr/lib/firewall/ipsec-block usr/lib/firewall/rules.pl #usr/lib/libgcc_s.so usr/lib/libgcc_s.so.1 diff --git a/config/rootfiles/core/94/exclude b/config/rootfiles/core/94/exclude deleted file mode 100644 index 4c7aa5a..0000000 --- a/config/rootfiles/core/94/exclude +++ /dev/null @@ -1,22 +0,0 @@ -boot/config.txt -etc/alternatives -etc/collectd.custom -etc/ipsec.conf -etc/ipsec.secrets -etc/ipsec.user.conf -etc/ipsec.user.secrets -etc/localtime -etc/shadow -etc/ssh/ssh_config -etc/ssh/sshd_config -etc/ssl/openssl.cnf -etc/sudoers -etc/sysconfig/firewall.local -etc/sysconfig/rc.local -etc/udev/rules.d/30-persistent-network.rules -srv/web/ipfire/html/proxy.pac -var/ipfire/ovpn -var/lib/alternatives -var/log/cache -var/state/dhcp/dhcpd.leases -var/updatecache diff --git a/config/rootfiles/core/94/filelists/armv5tel/glibc b/config/rootfiles/core/94/filelists/armv5tel/glibc deleted file mode 120000 index 4c70d72..0000000 --- a/config/rootfiles/core/94/filelists/armv5tel/glibc +++ /dev/null @@ -1 +0,0 @@ -../../../../common/armv5tel/glibc \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/bind b/config/rootfiles/core/94/filelists/bind deleted file mode 120000 index 48a0eba..0000000 --- a/config/rootfiles/core/94/filelists/bind +++ /dev/null @@ -1 +0,0 @@ -../../../common/bind \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/chkconfig b/config/rootfiles/core/94/filelists/chkconfig deleted file mode 120000 index 00ef4cf..0000000 --- a/config/rootfiles/core/94/filelists/chkconfig +++ /dev/null @@ -1 +0,0 @@ -../../../common/chkconfig \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/coreutils b/config/rootfiles/core/94/filelists/coreutils deleted file mode 120000 index 7351ed2..0000000 --- a/config/rootfiles/core/94/filelists/coreutils +++ /dev/null @@ -1 +0,0 @@ -../../../common/coreutils \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/dma b/config/rootfiles/core/94/filelists/dma deleted file mode 120000 index 60f4682..0000000 --- a/config/rootfiles/core/94/filelists/dma +++ /dev/null @@ -1 +0,0 @@ -../../../common/dma \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/dnsmasq b/config/rootfiles/core/94/filelists/dnsmasq deleted file mode 120000 index d469c74..0000000 --- a/config/rootfiles/core/94/filelists/dnsmasq +++ /dev/null @@ -1 +0,0 @@ -../../../common/dnsmasq \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/file b/config/rootfiles/core/94/filelists/file deleted file mode 120000 index 0c60e43..0000000 --- a/config/rootfiles/core/94/filelists/file +++ /dev/null @@ -1 +0,0 @@ -../../../common/file \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/files b/config/rootfiles/core/94/filelists/files deleted file mode 100644 index 9ef227b..0000000 --- a/config/rootfiles/core/94/filelists/files +++ /dev/null @@ -1,27 +0,0 @@ -etc/system-release -etc/issue -etc/rc.d/init.d/networking/red -etc/rc.d/init.d/snort -etc/rc.d/init.d/sshd -srv/web/ipfire/cgi-bin/connscheduler.cgi -srv/web/ipfire/cgi-bin/dhcp.cgi -srv/web/ipfire/cgi-bin/dnsforward.cgi -srv/web/ipfire/cgi-bin/hosts.cgi -srv/web/ipfire/cgi-bin/logs.cgi/log.dat -srv/web/ipfire/cgi-bin/mac.cgi -srv/web/ipfire/cgi-bin/mail.cgi -srv/web/ipfire/cgi-bin/modem.cgi -srv/web/ipfire/cgi-bin/ovpnmain.cgi -srv/web/ipfire/cgi-bin/pppsetup.cgi -srv/web/ipfire/cgi-bin/proxy.cgi -srv/web/ipfire/cgi-bin/qos.cgi -srv/web/ipfire/cgi-bin/time.cgi -srv/web/ipfire/cgi-bin/updatexlrator.cgi -srv/web/ipfire/cgi-bin/urlfilter.cgi -srv/web/ipfire/cgi-bin/vpnmain.cgi -srv/web/ipfire/cgi-bin/wakeonlan.cgi -srv/web/ipfire/cgi-bin/wireless.cgi -var/ipfire/langs -var/ipfire/menu.d/10-system.menu -var/ipfire/menu.d/40-services.menu -var/ipfire/network-functions.pl diff --git a/config/rootfiles/core/94/filelists/fireinfo b/config/rootfiles/core/94/filelists/fireinfo deleted file mode 120000 index c461155..0000000 --- a/config/rootfiles/core/94/filelists/fireinfo +++ /dev/null @@ -1 +0,0 @@ -../../../common/fireinfo \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/hdparm b/config/rootfiles/core/94/filelists/hdparm deleted file mode 120000 index b644751..0000000 --- a/config/rootfiles/core/94/filelists/hdparm +++ /dev/null @@ -1 +0,0 @@ -../../../common/hdparm \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/i586/glibc b/config/rootfiles/core/94/filelists/i586/glibc deleted file mode 120000 index 943021f..0000000 --- a/config/rootfiles/core/94/filelists/i586/glibc +++ /dev/null @@ -1 +0,0 @@ -../../../../common/i586/glibc \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/iproute2 b/config/rootfiles/core/94/filelists/iproute2 deleted file mode 120000 index 05f0f71..0000000 --- a/config/rootfiles/core/94/filelists/iproute2 +++ /dev/null @@ -1 +0,0 @@ -../../../common/iproute2 \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/libgcrypt b/config/rootfiles/core/94/filelists/libgcrypt deleted file mode 120000 index 2df12a2..0000000 --- a/config/rootfiles/core/94/filelists/libgcrypt +++ /dev/null @@ -1 +0,0 @@ -../../../common/libgcrypt \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/libgpg-error b/config/rootfiles/core/94/filelists/libgpg-error deleted file mode 120000 index cad4313..0000000 --- a/config/rootfiles/core/94/filelists/libgpg-error +++ /dev/null @@ -1 +0,0 @@ -../../../common/libgpg-error \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/openssh b/config/rootfiles/core/94/filelists/openssh deleted file mode 120000 index d8c77fd..0000000 --- a/config/rootfiles/core/94/filelists/openssh +++ /dev/null @@ -1 +0,0 @@ -../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/pcre b/config/rootfiles/core/94/filelists/pcre deleted file mode 120000 index b390d9a..0000000 --- a/config/rootfiles/core/94/filelists/pcre +++ /dev/null @@ -1 +0,0 @@ -../../../common/pcre \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/perl-Email-Date-Format b/config/rootfiles/core/94/filelists/perl-Email-Date-Format deleted file mode 120000 index 9980811..0000000 --- a/config/rootfiles/core/94/filelists/perl-Email-Date-Format +++ /dev/null @@ -1 +0,0 @@ -../../../common/perl-Email-Date-Format \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/perl-MIME-Lite b/config/rootfiles/core/94/filelists/perl-MIME-Lite deleted file mode 120000 index aa0aa6b..0000000 --- a/config/rootfiles/core/94/filelists/perl-MIME-Lite +++ /dev/null @@ -1 +0,0 @@ -../../../common/perl-MIME-Lite \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/rrdtool b/config/rootfiles/core/94/filelists/rrdtool deleted file mode 120000 index 7a82e41..0000000 --- a/config/rootfiles/core/94/filelists/rrdtool +++ /dev/null @@ -1 +0,0 @@ -../../../common/rrdtool \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/setup b/config/rootfiles/core/94/filelists/setup deleted file mode 120000 index 209374b..0000000 --- a/config/rootfiles/core/94/filelists/setup +++ /dev/null @@ -1 +0,0 @@ -../../../common/setup \ No newline at end of file diff --git a/config/rootfiles/core/94/filelists/squid b/config/rootfiles/core/94/filelists/squid deleted file mode 120000 index 2dc8372..0000000 --- a/config/rootfiles/core/94/filelists/squid +++ /dev/null @@ -1 +0,0 @@ -../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/core/94/meta b/config/rootfiles/core/94/meta deleted file mode 100644 index d547fa8..0000000 --- a/config/rootfiles/core/94/meta +++ /dev/null @@ -1 +0,0 @@ -DEPS="" diff --git a/config/rootfiles/core/94/update.sh b/config/rootfiles/core/94/update.sh deleted file mode 100644 index 99aa046..0000000 --- a/config/rootfiles/core/94/update.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/bin/bash -############################################################################ -# # -# This file is part of the IPFire Firewall. # -# # -# IPFire is free software; you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation; either version 3 of the License, or # -# (at your option) any later version. # -# # -# IPFire is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with IPFire; if not, write to the Free Software # -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# # -# Copyright (C) 2015 IPFire-Team info@ipfire.org. # -# # -############################################################################ -# -. /opt/pakfire/lib/functions.sh -/usr/local/bin/backupctrl exclude >/dev/null 2>&1 - -# Remove old core updates from pakfire cache to save space... -core=94 -for (( i=1; i<=$core; i++ )) -do - rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire -done - -# Stop services -/etc/init.d/squid stop -/etc/init.d/sshd stop -/etc/init.d/dnsmasq stop - -# Extract files -extract_files - -# Restart init after glibc update -telinit u - -# Update Language cache -/usr/local/bin/update-lang-cache - -# Update SSH configuration -sed -i /etc/ssh/sshd_config \ - -e 's/^#PermitRootLogin yes$/PermitRootLogin yes/' \ - -e 's|^#?HostKey /etc/ssh/ssh_host_dsa_key$||' \ - -e 's|^#?HostKey /etc/ssh/ssh_host_ecdsa_key$||' \ - -e 's|^#?HostKey /etc/ssh/ssh_host_ed25519_key$||' \ - -e 's|^#?HostKey /etc/ssh/ssh_host_rsa_key$|HostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key|' \ - -# Move away old and unsupported keys -mv -f /etc/ssh/ssh_host_dsa_key{,.old} -# Regenerating weak RSA keys -mv -f /etc/ssh/ssh_host_key{,.old} -mv -f /etc/ssh/ssh_host_rsa_key{,.old} - -# Update crontab -sed -i /var/spool/cron/root.orig -e "/Force an update once a month/d" -sed -i /var/spool/cron/root.orig -e "/ddns update-all --force/d" - -grep -q "dma -q" /var/spool/cron/root.orig || cat <<EOF >> /var/spool/cron/root.orig - -# Retry sending spooled mails regularly -%hourly * /usr/sbin/dma -q - -# Cleanup the mail spool directory -%weekly * * /usr/sbin/dma-cleanup-spool -EOF - -fcrontab -z &>/dev/null - -# DMA - reconfigure Postfix if exists -if [ -e /etc/postfix/main.cf ] && [ ! -e "/usr/sbin/sendmail.postfix" ]; then - mv /usr/sbin/sendmail /usr/sbin/sendmail.postfix - /usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.postfix 15 - sed -i 's/usr/sbin/sendmail/usr/sbin/sendmail.postfix/' /opt/pakfire/db/rootfiles/postfix -fi -# DMA - configure dma as default mta -mkdir -p /etc/alternatives -mkdir -p /var/lib/alternatives -/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20 - -# Start services -/etc/init.d/dnsmasq start -/etc/init.d/sshd start -/etc/init.d/squid start - -# This update need a reboot... -#touch /var/run/need_reboot - -# Finish -/etc/init.d/fireinfo start -sendprofile -# Update grub config to display new core version -if [ -e /boot/grub/grub.cfg ]; then - grub-mkconfig -o /boot/grub/grub.cfg -fi -sync - -# Don't report the exitcode last command -exit 0 diff --git a/config/rootfiles/core/95/exclude b/config/rootfiles/core/95/exclude new file mode 100644 index 0000000..fe5e6a5 --- /dev/null +++ b/config/rootfiles/core/95/exclude @@ -0,0 +1,24 @@ +boot/config.txt +etc/alternatives +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/95/filelists/armv5tel/linux-kirkwood b/config/rootfiles/core/95/filelists/armv5tel/linux-kirkwood new file mode 120000 index 0000000..7217107 --- /dev/null +++ b/config/rootfiles/core/95/filelists/armv5tel/linux-kirkwood @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-kirkwood \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/armv5tel/linux-multi b/config/rootfiles/core/95/filelists/armv5tel/linux-multi new file mode 120000 index 0000000..204eb4c --- /dev/null +++ b/config/rootfiles/core/95/filelists/armv5tel/linux-multi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-multi \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/armv5tel/linux-rpi b/config/rootfiles/core/95/filelists/armv5tel/linux-rpi new file mode 120000 index 0000000..a651a49 --- /dev/null +++ b/config/rootfiles/core/95/filelists/armv5tel/linux-rpi @@ -0,0 +1 @@ +../../../../common/armv5tel/linux-rpi \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/ddns b/config/rootfiles/core/95/filelists/ddns new file mode 120000 index 0000000..7395164 --- /dev/null +++ b/config/rootfiles/core/95/filelists/ddns @@ -0,0 +1 @@ +../../../common/ddns \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/dma b/config/rootfiles/core/95/filelists/dma new file mode 120000 index 0000000..60f4682 --- /dev/null +++ b/config/rootfiles/core/95/filelists/dma @@ -0,0 +1 @@ +../../../common/dma \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files new file mode 100644 index 0000000..28c9e8e --- /dev/null +++ b/config/rootfiles/core/95/filelists/files @@ -0,0 +1,26 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/dnsmasq +etc/rc.d/init.d/firewall +etc/rc.d/init.d/networking/red.up/99-geoip-database +lib/udev/network-hotplug-vlan +lib/udev/rules.d/60-net.rules +srv/web/ipfire/cgi-bin/connections.cgi +srv/web/ipfire/cgi-bin/credits.cgi +srv/web/ipfire/cgi-bin/dhcp.cgi +srv/web/ipfire/cgi-bin/firewall.cgi +srv/web/ipfire/cgi-bin/ids.cgi +srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat +srv/web/ipfire/cgi-bin/mail.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/pppsetup.cgi +srv/web/ipfire/cgi-bin/routing.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +usr/lib/firewall/firewall-lib.pl +usr/lib/firewall/ipsec-block +usr/local/bin/ipsecctrl +usr/local/bin/settime +usr/local/bin/timecheck +var/ipfire/backup/exclude +var/ipfire/langs +var/ipfire/network-functions.pl diff --git a/config/rootfiles/core/95/filelists/i586/linux b/config/rootfiles/core/95/filelists/i586/linux new file mode 120000 index 0000000..693ec4b --- /dev/null +++ b/config/rootfiles/core/95/filelists/i586/linux @@ -0,0 +1 @@ +../../../../common/i586/linux \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/i586/linux-initrd b/config/rootfiles/core/95/filelists/i586/linux-initrd new file mode 120000 index 0000000..32a03e6 --- /dev/null +++ b/config/rootfiles/core/95/filelists/i586/linux-initrd @@ -0,0 +1 @@ +../../../../common/i586/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/i586/strongswan-padlock b/config/rootfiles/core/95/filelists/i586/strongswan-padlock new file mode 120000 index 0000000..2412824 --- /dev/null +++ b/config/rootfiles/core/95/filelists/i586/strongswan-padlock @@ -0,0 +1 @@ +../../../../common/i586/strongswan-padlock \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/ipset b/config/rootfiles/core/95/filelists/ipset new file mode 120000 index 0000000..2b43691 --- /dev/null +++ b/config/rootfiles/core/95/filelists/ipset @@ -0,0 +1 @@ +../../../common/ipset \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/lzo b/config/rootfiles/core/95/filelists/lzo new file mode 120000 index 0000000..8e11e78 --- /dev/null +++ b/config/rootfiles/core/95/filelists/lzo @@ -0,0 +1 @@ +../../../common/lzo \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/ntp b/config/rootfiles/core/95/filelists/ntp new file mode 120000 index 0000000..7542d86 --- /dev/null +++ b/config/rootfiles/core/95/filelists/ntp @@ -0,0 +1 @@ +../../../common/ntp \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/snort b/config/rootfiles/core/95/filelists/snort new file mode 120000 index 0000000..9406ce0 --- /dev/null +++ b/config/rootfiles/core/95/filelists/snort @@ -0,0 +1 @@ +../../../common/snort \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/strongswan b/config/rootfiles/core/95/filelists/strongswan new file mode 120000 index 0000000..90c727e --- /dev/null +++ b/config/rootfiles/core/95/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/x86_64/linux b/config/rootfiles/core/95/filelists/x86_64/linux new file mode 120000 index 0000000..0615b5b --- /dev/null +++ b/config/rootfiles/core/95/filelists/x86_64/linux @@ -0,0 +1 @@ +../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/core/95/filelists/x86_64/linux-initrd b/config/rootfiles/core/95/filelists/x86_64/linux-initrd new file mode 120000 index 0000000..1b9fff7 --- /dev/null +++ b/config/rootfiles/core/95/filelists/x86_64/linux-initrd @@ -0,0 +1 @@ +../../../../common/x86_64/linux-initrd \ No newline at end of file diff --git a/config/rootfiles/core/95/meta b/config/rootfiles/core/95/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/core/95/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/95/update.sh b/config/rootfiles/core/95/update.sh new file mode 100644 index 0000000..538a074 --- /dev/null +++ b/config/rootfiles/core/95/update.sh @@ -0,0 +1,256 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2015 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + + +function find_device() { + local mountpoint="${1}" + + local root + local dev mp fs flags rest + while read -r dev mp fs flags rest; do + # Skip unwanted entries + [ "${dev}" = "rootfs" ] && continue + + if [ "${mp}" = "${mountpoint}" ] && [ -b "${dev}" ]; then + root="$(basename "${dev}")" + break + fi + done < /proc/mounts + + # Get the actual device from the partition that holds / + while [ -n "${root}" ]; do + if [ -e "/sys/block/${root}" ]; then + echo "${root}" + return 0 + fi + + # Remove last character + root="${root::-1}" + done + + return 1 +} + + +# +# Remove old core updates from pakfire cache to save space... +core=95 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# +# Do some sanity checks. +case $(uname -r) in + *-ipfire-versatile ) + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: ERROR cannot update. versatile support is dropped." + # Report no error to pakfire. So it does not try to install it again. + exit 0 + ;; + *-ipfire* ) + # Ok. + ;; + * ) + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: ERROR cannot update. No IPFire Kernel." + exit 1 + ;; +esac + + +# +# +KVER="xxxKVERxxx" + +# Check diskspace on root +ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $ROOTSPACE -lt 100000 ]; then + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: ERROR cannot update because not enough free space on root." + exit 2 +fi + + +echo +echo Update Kernel to $KVER ... +# +# Remove old kernel, configs, initrd, modules, dtb's ... +# +rm -rf /boot/System.map-* +rm -rf /boot/config-* +rm -rf /boot/ipfirerd-* +rm -rf /boot/initramfs-* +rm -rf /boot/vmlinuz-* +rm -rf /boot/uImage-ipfire-* +rm -rf /boot/uInit-ipfire-* +rm -rf /boot/dtb-*-ipfire-* +rm -rf /lib/modules + +case "$(uname -m)" in + armv*) + # Backup uEnv.txt if exist + if [ -e /boot/uEnv.txt ]; then + cp -vf /boot/uEnv.txt /boot/uEnv.txt.org + fi + + # work around the u-boot folder detection bug + mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood + mkdir -pv /boot/dtb-$KVER-ipfire-multi + ;; +esac + +# Remove files +rm -f /etc/rc.d/init.d/network-vlans +rm -f /etc/rc.d/rcsysinit.d/S91network-vlans + +# +#Stop services +/etc/init.d/snort stop +/etc/init.d/squid stop +/etc/init.d/ipsec stop +/etc/init.d/ntp stop +/etc/init.d/apache stop + +# +#Extract files +tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p --numeric-owner -C / + +# Check diskspace on boot +BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + +if [ $BOOTSPACE -lt 1000 ]; then + case $(uname -r) in + *-ipfire-kirkwood ) + # Special handling for old kirkwood images. + # (install only kirkwood kernel) + rm -rf /boot/* + # work around the u-boot folder detection bug + mkdir -pv /boot/dtb-$KVER-ipfire-kirkwood + tar xavf /opt/pakfire/tmp/files* --no-overwrite-dir -p \ + --numeric-owner -C / --wildcards 'boot/*-kirkwood*' + ;; + * ) + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: FATAL-ERROR space run out on boot. System is not bootable..." + /etc/init.d/apache start + exit 4 + ;; + esac +fi + +# Regenerate IPsec configuration +sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi + +# Update Language cache +/usr/local/bin/update-lang-cache + +# +# Start services +# +/etc/init.d/apache start +/etc/init.d/ntp start +/etc/init.d/squid start +/etc/init.d/snort start +if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then + /etc/init.d/ipsec start +fi + +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig > /boot/grub/grub.cfg +fi + +# Upadate Kernel version uEnv.txt +if [ -e /boot/uEnv.txt ]; then + sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt +fi + +# call user update script (needed for some arm boards) +if [ -e /boot/pakfire-kernel-update ]; then + /boot/pakfire-kernel-update ${KVER} +fi + +case "$(uname -m)" in + i?86) + # Force (re)install pae kernel if pae is supported + rm -rf /opt/pakfire/db/installed/meta-linux-pae + if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then + ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1` + if [ $BOOTSPACE -lt 12000 -o $ROOTSPACE -lt 90000 ]; then + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: WARNING not enough space for pae kernel." + else + echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae + echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae + echo "Release: 0" >> /opt/pakfire/db/installed/meta-linux-pae + fi + fi + ;; +esac +# +# After pakfire has ended run it again and update the lists and do upgrade +# +echo '#!/bin/bash' > /tmp/pak_update +echo 'while [ "$(ps -A | grep " update.sh")" != "" ]; do' >> /tmp/pak_update +echo ' sleep 1' >> /tmp/pak_update +echo 'done' >> /tmp/pak_update +echo 'while [ "$(ps -A | grep " pakfire")" != "" ]; do' >> /tmp/pak_update +echo ' sleep 1' >> /tmp/pak_update +echo 'done' >> /tmp/pak_update +echo '/opt/pakfire/pakfire update -y --force' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/opt/pakfire/pakfire upgrade -y' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire "Core-upgrade finished. If you use a customized grub/uboot config"' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire "Check it before reboot !!!"' >> /tmp/pak_update +echo '/usr/bin/logger -p syslog.emerg -t ipfire " *** Please reboot... *** "' >> /tmp/pak_update +echo 'touch /var/run/need_reboot ' >> /tmp/pak_update +# +killall -KILL pak_update +chmod +x /tmp/pak_update +/tmp/pak_update & + +sync + +# +#Finish +/etc/init.d/fireinfo start +sendprofile +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi +sync + +echo +echo Please wait until pakfire has ended... +echo + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/94/exclude b/config/rootfiles/oldcore/94/exclude new file mode 100644 index 0000000..4c7aa5a --- /dev/null +++ b/config/rootfiles/oldcore/94/exclude @@ -0,0 +1,22 @@ +boot/config.txt +etc/alternatives +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/oldcore/94/filelists/armv5tel/glibc b/config/rootfiles/oldcore/94/filelists/armv5tel/glibc new file mode 120000 index 0000000..4c70d72 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/armv5tel/glibc @@ -0,0 +1 @@ +../../../../common/armv5tel/glibc \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/bind b/config/rootfiles/oldcore/94/filelists/bind new file mode 120000 index 0000000..48a0eba --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/bind @@ -0,0 +1 @@ +../../../common/bind \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/chkconfig b/config/rootfiles/oldcore/94/filelists/chkconfig new file mode 120000 index 0000000..00ef4cf --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/chkconfig @@ -0,0 +1 @@ +../../../common/chkconfig \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/coreutils b/config/rootfiles/oldcore/94/filelists/coreutils new file mode 120000 index 0000000..7351ed2 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/coreutils @@ -0,0 +1 @@ +../../../common/coreutils \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/dma b/config/rootfiles/oldcore/94/filelists/dma new file mode 120000 index 0000000..60f4682 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/dma @@ -0,0 +1 @@ +../../../common/dma \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/dnsmasq b/config/rootfiles/oldcore/94/filelists/dnsmasq new file mode 120000 index 0000000..d469c74 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/dnsmasq @@ -0,0 +1 @@ +../../../common/dnsmasq \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/file b/config/rootfiles/oldcore/94/filelists/file new file mode 120000 index 0000000..0c60e43 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/file @@ -0,0 +1 @@ +../../../common/file \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/files b/config/rootfiles/oldcore/94/filelists/files new file mode 100644 index 0000000..9ef227b --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/files @@ -0,0 +1,27 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/networking/red +etc/rc.d/init.d/snort +etc/rc.d/init.d/sshd +srv/web/ipfire/cgi-bin/connscheduler.cgi +srv/web/ipfire/cgi-bin/dhcp.cgi +srv/web/ipfire/cgi-bin/dnsforward.cgi +srv/web/ipfire/cgi-bin/hosts.cgi +srv/web/ipfire/cgi-bin/logs.cgi/log.dat +srv/web/ipfire/cgi-bin/mac.cgi +srv/web/ipfire/cgi-bin/mail.cgi +srv/web/ipfire/cgi-bin/modem.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/pppsetup.cgi +srv/web/ipfire/cgi-bin/proxy.cgi +srv/web/ipfire/cgi-bin/qos.cgi +srv/web/ipfire/cgi-bin/time.cgi +srv/web/ipfire/cgi-bin/updatexlrator.cgi +srv/web/ipfire/cgi-bin/urlfilter.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi +srv/web/ipfire/cgi-bin/wakeonlan.cgi +srv/web/ipfire/cgi-bin/wireless.cgi +var/ipfire/langs +var/ipfire/menu.d/10-system.menu +var/ipfire/menu.d/40-services.menu +var/ipfire/network-functions.pl diff --git a/config/rootfiles/oldcore/94/filelists/fireinfo b/config/rootfiles/oldcore/94/filelists/fireinfo new file mode 120000 index 0000000..c461155 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/fireinfo @@ -0,0 +1 @@ +../../../common/fireinfo \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/hdparm b/config/rootfiles/oldcore/94/filelists/hdparm new file mode 120000 index 0000000..b644751 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/hdparm @@ -0,0 +1 @@ +../../../common/hdparm \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/i586/glibc b/config/rootfiles/oldcore/94/filelists/i586/glibc new file mode 120000 index 0000000..943021f --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/i586/glibc @@ -0,0 +1 @@ +../../../../common/i586/glibc \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/iproute2 b/config/rootfiles/oldcore/94/filelists/iproute2 new file mode 120000 index 0000000..05f0f71 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/iproute2 @@ -0,0 +1 @@ +../../../common/iproute2 \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/libgcrypt b/config/rootfiles/oldcore/94/filelists/libgcrypt new file mode 120000 index 0000000..2df12a2 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/libgcrypt @@ -0,0 +1 @@ +../../../common/libgcrypt \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/libgpg-error b/config/rootfiles/oldcore/94/filelists/libgpg-error new file mode 120000 index 0000000..cad4313 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/libgpg-error @@ -0,0 +1 @@ +../../../common/libgpg-error \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/openssh b/config/rootfiles/oldcore/94/filelists/openssh new file mode 120000 index 0000000..d8c77fd --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/pcre b/config/rootfiles/oldcore/94/filelists/pcre new file mode 120000 index 0000000..b390d9a --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/pcre @@ -0,0 +1 @@ +../../../common/pcre \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format b/config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format new file mode 120000 index 0000000..9980811 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/perl-Email-Date-Format @@ -0,0 +1 @@ +../../../common/perl-Email-Date-Format \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/perl-MIME-Lite b/config/rootfiles/oldcore/94/filelists/perl-MIME-Lite new file mode 120000 index 0000000..aa0aa6b --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/perl-MIME-Lite @@ -0,0 +1 @@ +../../../common/perl-MIME-Lite \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/rrdtool b/config/rootfiles/oldcore/94/filelists/rrdtool new file mode 120000 index 0000000..7a82e41 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/rrdtool @@ -0,0 +1 @@ +../../../common/rrdtool \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/setup b/config/rootfiles/oldcore/94/filelists/setup new file mode 120000 index 0000000..209374b --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/setup @@ -0,0 +1 @@ +../../../common/setup \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/filelists/squid b/config/rootfiles/oldcore/94/filelists/squid new file mode 120000 index 0000000..2dc8372 --- /dev/null +++ b/config/rootfiles/oldcore/94/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/config/rootfiles/oldcore/94/meta b/config/rootfiles/oldcore/94/meta new file mode 100644 index 0000000..d547fa8 --- /dev/null +++ b/config/rootfiles/oldcore/94/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/oldcore/94/update.sh b/config/rootfiles/oldcore/94/update.sh new file mode 100644 index 0000000..99aa046 --- /dev/null +++ b/config/rootfiles/oldcore/94/update.sh @@ -0,0 +1,106 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2015 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=94 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services +/etc/init.d/squid stop +/etc/init.d/sshd stop +/etc/init.d/dnsmasq stop + +# Extract files +extract_files + +# Restart init after glibc update +telinit u + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Update SSH configuration +sed -i /etc/ssh/sshd_config \ + -e 's/^#PermitRootLogin yes$/PermitRootLogin yes/' \ + -e 's|^#?HostKey /etc/ssh/ssh_host_dsa_key$||' \ + -e 's|^#?HostKey /etc/ssh/ssh_host_ecdsa_key$||' \ + -e 's|^#?HostKey /etc/ssh/ssh_host_ed25519_key$||' \ + -e 's|^#?HostKey /etc/ssh/ssh_host_rsa_key$|HostKey /etc/ssh/ssh_host_ecdsa_key\nHostKey /etc/ssh/ssh_host_ed25519_key\nHostKey /etc/ssh/ssh_host_rsa_key|' \ + +# Move away old and unsupported keys +mv -f /etc/ssh/ssh_host_dsa_key{,.old} +# Regenerating weak RSA keys +mv -f /etc/ssh/ssh_host_key{,.old} +mv -f /etc/ssh/ssh_host_rsa_key{,.old} + +# Update crontab +sed -i /var/spool/cron/root.orig -e "/Force an update once a month/d" +sed -i /var/spool/cron/root.orig -e "/ddns update-all --force/d" + +grep -q "dma -q" /var/spool/cron/root.orig || cat <<EOF >> /var/spool/cron/root.orig + +# Retry sending spooled mails regularly +%hourly * /usr/sbin/dma -q + +# Cleanup the mail spool directory +%weekly * * /usr/sbin/dma-cleanup-spool +EOF + +fcrontab -z &>/dev/null + +# DMA - reconfigure Postfix if exists +if [ -e /etc/postfix/main.cf ] && [ ! -e "/usr/sbin/sendmail.postfix" ]; then + mv /usr/sbin/sendmail /usr/sbin/sendmail.postfix + /usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.postfix 15 + sed -i 's/usr/sbin/sendmail/usr/sbin/sendmail.postfix/' /opt/pakfire/db/rootfiles/postfix +fi +# DMA - configure dma as default mta +mkdir -p /etc/alternatives +mkdir -p /var/lib/alternatives +/usr/sbin/alternatives --install /usr/sbin/sendmail sendmail /usr/sbin/sendmail.dma 20 + +# Start services +/etc/init.d/dnsmasq start +/etc/init.d/sshd start +/etc/init.d/squid start + +# This update need a reboot... +#touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/udev/60-net.rules b/config/udev/60-net.rules index 4f22a1e..dc39ff0 100644 --- a/config/udev/60-net.rules +++ b/config/udev/60-net.rules @@ -1,3 +1,7 @@ # Call a script that checks for the right name of the new device. # If it matches the configuration it will be renamed accordingly. ACTION=="add", SUBSYSTEM=="net", PROGRAM="/lib/udev/network-hotplug-rename", RESULT=="?*", NAME="$result" + +# Call a script that will create all virtual devices for a parent device +# that has just come up. +ACTION=="add", SUBSYSTEM=="net", PROGRAM="/lib/udev/network-hotplug-vlan" diff --git a/config/udev/network-hotplug-vlan b/config/udev/network-hotplug-vlan new file mode 100644 index 0000000..f7b6a9d --- /dev/null +++ b/config/udev/network-hotplug-vlan @@ -0,0 +1,87 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 2 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2015 IPFire Team info@ipfire.org # +# # +############################################################################ + +[ -n "${INTERFACE}" ] || exit 2 + +CONFIG_FILE="/var/ipfire/ethernet/vlans" + +# Skip immediately if no configuration file has been found. +[ -e "${CONFIG_FILE}" ] || exit 0 + +eval $(/usr/local/bin/readhash ${CONFIG_FILE}) + +for interface in green0 red0 blue0 orange0; do + case "${interface}" in + green*) + PARENT_DEV=${GREEN_PARENT_DEV} + VLAN_ID=${GREEN_VLAN_ID} + MAC_ADDRESS=${GREEN_MAC_ADDRESS} + ;; + red*) + PARENT_DEV=${RED_PARENT_DEV} + VLAN_ID=${RED_VLAN_ID} + MAC_ADDRESS=${RED_MAC_ADDRESS} + ;; + blue*) + PARENT_DEV=${BLUE_PARENT_DEV} + VLAN_ID=${BLUE_VLAN_ID} + MAC_ADDRESS=${BLUE_MAC_ADDRESS} + ;; + orange*) + PARENT_DEV=${ORANGE_PARENT_DEV} + VLAN_ID=${ORANGE_VLAN_ID} + MAC_ADDRESS=${ORANGE_MAC_ADDRESS} + ;; + esac + + # If the parent device does not match the interface that + # has just come up, we will go on for the next one. + [ "${PARENT_DEV}" = "${INTERFACE}" ] || continue + + # Check if the interface does already exists. + # If so, we skip creating it. + if [ -d "/sys/class/net/${interface}" ]; then + echo "Interface ${interface} already exists." >&2 + continue + fi + + if [ -z "${VLAN_ID}" ]; then + echo "${interface}: You did not set the VLAN ID." >&2 + continue + fi + + # Build command line. + command="ip link add link ${PARENT_DEV} name ${interface}" + if [ -n "${MAC_ADDRESS}" ]; then + command="${command} address ${MAC_ADDRESS}" + fi + command="${command} type vlan id ${VLAN_ID}" + + echo "Creating VLAN interface ${interface}..." + ${command} + + # Bring up the parent device. + ip link set ${PARENT_DEV} up +done + +exit 0 diff --git a/doc/language_issues.de b/doc/language_issues.de index 54d9de9..6c47184 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -82,6 +82,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cannot enable both nat traversal and compression WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute diff --git a/doc/language_issues.en b/doc/language_issues.en index 95477de..68e351c 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -100,6 +100,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cannot enable both nat traversal and compression WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute diff --git a/doc/language_issues.es b/doc/language_issues.es index 91945ff..84298f4 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -95,6 +95,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cannot enable both nat traversal and compression WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart @@ -668,6 +669,11 @@ WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dh parameter +WARNING: untranslated string: dhcp dns enable update +WARNING: untranslated string: dhcp dns key name +WARNING: untranslated string: dhcp dns update +WARNING: untranslated string: dhcp dns update algo +WARNING: untranslated string: dhcp dns update secret WARNING: untranslated string: dnat address WARNING: untranslated string: dns servers WARNING: untranslated string: dnsforward @@ -989,6 +995,7 @@ WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths WARNING: untranslated string: random number generator daemon WARNING: untranslated string: red1 +WARNING: untranslated string: required field WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 344ef07..e9915c8 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -95,6 +95,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cannot enable both nat traversal and compression WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart @@ -675,6 +676,11 @@ WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dh parameter +WARNING: untranslated string: dhcp dns enable update +WARNING: untranslated string: dhcp dns key name +WARNING: untranslated string: dhcp dns update +WARNING: untranslated string: dhcp dns update algo +WARNING: untranslated string: dhcp dns update secret WARNING: untranslated string: dnat address WARNING: untranslated string: dns address deleted txt WARNING: untranslated string: dns servers @@ -1000,6 +1006,7 @@ WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths WARNING: untranslated string: random number generator daemon WARNING: untranslated string: red1 +WARNING: untranslated string: required field WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.it b/doc/language_issues.it index 38614d6..420a46c 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -99,6 +99,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cannot enable both nat traversal and compression WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute @@ -674,6 +675,11 @@ WARNING: untranslated string: advproxy group access control WARNING: untranslated string: advproxy group required WARNING: untranslated string: bytes WARNING: untranslated string: check all +WARNING: untranslated string: dhcp dns enable update +WARNING: untranslated string: dhcp dns key name +WARNING: untranslated string: dhcp dns update +WARNING: untranslated string: dhcp dns update algo +WARNING: untranslated string: dhcp dns update secret WARNING: untranslated string: email config WARNING: untranslated string: email empty field WARNING: untranslated string: email invalid @@ -729,6 +735,7 @@ WARNING: untranslated string: ovpn add conf WARNING: untranslated string: pptp netconfig WARNING: untranslated string: pptp peer WARNING: untranslated string: pptp route +WARNING: untranslated string: required field WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 2d3c78b..c876987 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -99,6 +99,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cannot enable both nat traversal and compression WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute @@ -679,6 +680,11 @@ WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dh parameter +WARNING: untranslated string: dhcp dns enable update +WARNING: untranslated string: dhcp dns key name +WARNING: untranslated string: dhcp dns update +WARNING: untranslated string: dhcp dns update algo +WARNING: untranslated string: dhcp dns update secret WARNING: untranslated string: dns servers WARNING: untranslated string: dnssec aware WARNING: untranslated string: dnssec information @@ -771,6 +777,7 @@ WARNING: untranslated string: pptp netconfig WARNING: untranslated string: pptp peer WARNING: untranslated string: pptp route WARNING: untranslated string: random number generator daemon +WARNING: untranslated string: required field WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 91945ff..84298f4 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -95,6 +95,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cannot enable both nat traversal and compression WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart @@ -668,6 +669,11 @@ WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dh parameter +WARNING: untranslated string: dhcp dns enable update +WARNING: untranslated string: dhcp dns key name +WARNING: untranslated string: dhcp dns update +WARNING: untranslated string: dhcp dns update algo +WARNING: untranslated string: dhcp dns update secret WARNING: untranslated string: dnat address WARNING: untranslated string: dns servers WARNING: untranslated string: dnsforward @@ -989,6 +995,7 @@ WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths WARNING: untranslated string: random number generator daemon WARNING: untranslated string: red1 +WARNING: untranslated string: required field WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 4531670..a03f300 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -95,6 +95,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cannot enable both nat traversal and compression WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: cfg restart @@ -669,6 +670,11 @@ WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dh parameter +WARNING: untranslated string: dhcp dns enable update +WARNING: untranslated string: dhcp dns key name +WARNING: untranslated string: dhcp dns update +WARNING: untranslated string: dhcp dns update algo +WARNING: untranslated string: dhcp dns update secret WARNING: untranslated string: disk access per WARNING: untranslated string: dnat address WARNING: untranslated string: dns servers @@ -983,6 +989,7 @@ WARNING: untranslated string: proxy reports weekly WARNING: untranslated string: qos enter bandwidths WARNING: untranslated string: random number generator daemon WARNING: untranslated string: red1 +WARNING: untranslated string: required field WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 672a49d..5d1ceb7 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -99,6 +99,7 @@ WARNING: translation string unused: cache management WARNING: translation string unused: cache size WARNING: translation string unused: calamaris report interval (in minutes) WARNING: translation string unused: calc traffic all x minutes +WARNING: translation string unused: cannot enable both nat traversal and compression WARNING: translation string unused: cant enable xtaccess WARNING: translation string unused: capsinactive WARNING: translation string unused: ccd err iroute @@ -666,6 +667,11 @@ WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: Scan for Songs WARNING: untranslated string: bytes WARNING: untranslated string: check all +WARNING: untranslated string: dhcp dns enable update +WARNING: untranslated string: dhcp dns key name +WARNING: untranslated string: dhcp dns update +WARNING: untranslated string: dhcp dns update algo +WARNING: untranslated string: dhcp dns update secret WARNING: untranslated string: email config WARNING: untranslated string: email empty field WARNING: untranslated string: email invalid @@ -708,6 +714,7 @@ WARNING: untranslated string: ovpn add conf WARNING: untranslated string: pptp netconfig WARNING: untranslated string: pptp peer WARNING: untranslated string: pptp route +WARNING: untranslated string: required field WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed diff --git a/doc/language_missings b/doc/language_missings index 97e2d18..9da0122 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -85,6 +85,11 @@ < deprecated fs warn < details < dh +< dhcp dns enable update +< dhcp dns key name +< dhcp dns update +< dhcp dns update algo +< dhcp dns update secret < dh key move failed < dh key warn < dh key warn1 @@ -468,6 +473,7 @@ < qos enter bandwidths < random number generator daemon < red1 +< required field < samba join a domain < samba join domain < search @@ -689,6 +695,11 @@ < deprecated fs warn < details < dh +< dhcp dns enable update +< dhcp dns key name +< dhcp dns update +< dhcp dns update algo +< dhcp dns update secret < dh key move failed < dh key warn < dh key warn1 @@ -1077,6 +1088,7 @@ < qos enter bandwidths < random number generator daemon < red1 +< required field < samba join a domain < samba join domain < search @@ -1274,6 +1286,11 @@ < deprecated fs warn < details < dh +< dhcp dns enable update +< dhcp dns key name +< dhcp dns update +< dhcp dns update algo +< dhcp dns update secret < dh key move failed < dh key warn < dh key warn1 @@ -1650,6 +1667,7 @@ < qos enter bandwidths < random number generator daemon < red1 +< required field < samba join a domain < samba join domain < search @@ -1847,6 +1865,11 @@ < deprecated fs warn < details < dh +< dhcp dns enable update +< dhcp dns key name +< dhcp dns update +< dhcp dns update algo +< dhcp dns update secret < dh key move failed < dh key warn < dh key warn1 @@ -2226,6 +2249,7 @@ < qos enter bandwidths < random number generator daemon < red1 +< required field < samba join a domain < samba join domain < search diff --git a/html/cgi-bin/connections.cgi b/html/cgi-bin/connections.cgi index 4eb9cd7..85a9cd7 100644 --- a/html/cgi-bin/connections.cgi +++ b/html/cgi-bin/connections.cgi @@ -261,15 +261,19 @@ close(IPSEC);

foreach my $line (@ipsec) { my @vpn = split(',', $line); - my ($network, $mask) = split("/", $vpn[12]);

- if (!&General::validip($mask)) { - $mask = ipv4_cidr2msk($mask); - } + my @subnets = split('|', $vpn[12]); + for my $subnet (@subnets) { + my ($network, $mask) = split("/", $subnet); + + if (!&General::validip($mask)) { + $mask = ipv4_cidr2msk($mask); + }

- push(@network, $network); - push(@masklen, $mask); - push(@colour, ${Header::colourvpn}); + push(@network, $network); + push(@masklen, $mask); + push(@colour, ${Header::colourvpn}); + } }

if (-e "${General::swroot}/ovpn/n2nconf") { diff --git a/html/cgi-bin/credits.cgi b/html/cgi-bin/credits.cgi index 19fae9b..f370e80 100644 --- a/html/cgi-bin/credits.cgi +++ b/html/cgi-bin/credits.cgi @@ -58,40 +58,75 @@ print <<END </center> <br><br>

-<p><b>Development:</b><br /> - -Arne Fitzenreiter -(<a href='mailto:arne.fitzenreiter\@ipfire.org'>arne.fitzenreiter@ipfire.org</a>) - Maintainer IPFire 2.x <br /> -Michael Tremer -(<a href='mailto:michael.tremer\@ipfire.org'>michael.tremer@ipfire.org</a>) - Project Leader <br /> -Christian Schmidt -(<a href='mailto:christian.schmidt\@ipfire.org'>christian.schmidt@ipfire.org</a>) - Vice Project Leader <br /> -Stefan Schantl -(<a href='mailto:stefan.schantl\@ipfire.org'>stefan.schantl@ipfire.org</a>)<br /> -Alexander Marx -(<a href='mailto:alexander.marx\@ipfire.org'>alexander.marx@ipfire.org</a>)<br /> -Heiner Schmeling -(<a href='mailto:heiner.schmeling\@ipfire.org'>heiner.schmeling@ipfire.org</a>)<br /> -Ronald Wiesinger -(<a href='mailto:ronald.wiesinger\@ipfire.org'>ronald.wiesinger@ipfire.org</a>)<br /> -Silvio Rechenbach -(<a href='mailto:silvio.rechenbach\@ipfire.org'>silvio.rechenbach@ipfire.org</a>)<br /> -Dirk Wagner -(<a href='mailto:dirk.wagner\@ipfire.org'>dirk.wagner@ipfire.org</a>)<br /> -Erik Kapfer -(<a href='mailto:erik.kapfer\@ipfire.org'>erik.kapfer@ipfire.org</a>)<br /> -Alfred Haas -(<a href='mailto:alfred.haas\@ipfire.org'>alfred.haas@ipfire.org</a>)<br /> - -<p><b>Inactive:</b><br /> - -Peter Pfeiffer -(<a href='mailto:peter.pfeifer\@ipfire.org'>peter.pfeifer@ipfire.org</a>)<br /> -Peter Sch&auml;lchli -(<a href='mailto:peter.schaelchli\@ipfire.org'>peter.schaelchli@ipfire.org</a>)<br /> -Jan Paul T&uuml;cking -(<a href='mailto:jan.tuecking\@ipfire.org'>jan.tuecking@ipfire.org</a>)<br /> +<p> + <strong>Core Developers:</strong> </p> + +<ul style="list-style: none"> + <li> + Michael Tremer + (<a href='mailto:michael.tremer\@ipfire.org'>michael.tremer@ipfire.org</a>) + </li> + <li> + Arne Fitzenreiter + (<a href='mailto:arne.fitzenreiter\@ipfire.org'>arne.fitzenreiter@ipfire.org</a>) + </li> + <li> + Stefan Schantl + (<a href='mailto:stefan.schantl\@ipfire.org'>stefan.schantl@ipfire.org</a>) + </li> + <li> + Alexander Marx + (<a href='mailto:alexander.marx\@ipfire.org'>alexander.marx@ipfire.org</a>) + </li> +</ul> + +<p> + <strong>Community Developers:</strong> +</p> + +<ul style="list-style: none"> + <li> + Christian Schmidt + (<a href='mailto:christian.schmidt\@ipfire.org'>christian.schmidt@ipfire.org</a>) + </li> + <li> + Jan Paul T&uuml;cking + (<a href='mailto:jan.tuecking\@ipfire.org'>jan.tuecking@ipfire.org</a>) + </li> + <li> + Heiner Schmeling + (<a href='mailto:heiner.schmeling\@ipfire.org'>heiner.schmeling@ipfire.org</a>) + </li> + <li> + Ronald Wiesinger + (<a href='mailto:ronald.wiesinger\@ipfire.org'>ronald.wiesinger@ipfire.org</a>) + </li> + <li> + Silvio Rechenbach + (<a href='mailto:silvio.rechenbach\@ipfire.org'>silvio.rechenbach@ipfire.org</a>) + </li> + <li> + Dirk Wagner + (<a href='mailto:dirk.wagner\@ipfire.org'>dirk.wagner@ipfire.org</a>) + </li> + <li> + Erik Kapfer + (<a href='mailto:erik.kapfer\@ipfire.org'>erik.kapfer@ipfire.org</a>) + </li> + <li> + Alfred Haas + (<a href='mailto:alfred.haas\@ipfire.org'>alfred.haas@ipfire.org</a>) + </li> + <li> + Peter Pfeiffer + (<a href='mailto:peter.pfeifer\@ipfire.org'>peter.pfeifer@ipfire.org</a>) + </li> + <li> + Peter Sch&auml;lchli + (<a href='mailto:peter.schaelchli\@ipfire.org'>peter.schaelchli@ipfire.org</a>) + </li> +</ul> END ; &Header::closebox(); diff --git a/html/cgi-bin/dhcp.cgi b/html/cgi-bin/dhcp.cgi index a22bcd4..3eb5349 100644 --- a/html/cgi-bin/dhcp.cgi +++ b/html/cgi-bin/dhcp.cgi @@ -70,11 +70,17 @@ foreach my $itf (@ITFs) { $dhcpsettings{"NTP2_${itf}"} = ''; $dhcpsettings{"NEXT_${itf}"} = ''; $dhcpsettings{"FILE_${itf}"} = ''; + $dhcpsettings{"DNS_UPDATE_KEY_NAME_${itf}"} = ''; + $dhcpsettings{"DNS_UPDATE_KEY_SECRET_${itf}"} = ''; + $dhcpsettings{"DNS_UPDATE_KEY_ALGO_${itf}"} = ''; }

$dhcpsettings{'SORT_FLEASELIST'} = 'FIPADDR'; $dhcpsettings{'SORT_LEASELIST'} = 'IPADDR';

+# DNS Update settings +$dhcpsettings{'DNS_UPDATE_ENABLED'} = 'off'; + #Settings2 for editing the multi-line list #Must not be saved with writehash ! $dhcpsettings{'FIX_MAC'} = ''; @@ -596,6 +602,78 @@ print <<END <td width='40%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> </tr> </table> +END +; +&Header::closebox(); + +# DHCP DNS update support (RFC2136) +&Header::openbox('100%', 'left', $Lang::tr{'dhcp dns update'}); + +my %checked = (); +$checked{'DNS_UPDATE_ENABLED'}{'on'} = ( $dhcpsettings{'DNS_UPDATE_ENABLED'} ne 'on') ? '' : "checked='checked'"; + +print <<END +<table width='100%'> + <tr> + <td width='25%' class='boldbase'>$Lang::tr{'dhcp dns enable update'}</td> + <td class='base'><input type='checkbox' name='DNS_UPDATE_ENABLED' $checked{'DNS_UPDATE_ENABLED'}{'on'}> + </td> + <tr> +</table> + +<table width='100%'> +END +; + my @domains = (); + + # Print options for each interface. + foreach my $itf (@ITFs) { + # Check if DHCP for this interface is enabled. + if ($dhcpsettings{"ENABLE_${itf}"} eq 'on') { + # Check for same domain name. + next if ($dhcpsettings{"DOMAIN_NAME_${itf}"} ~~ @domains); + my $lc_itf = lc($itf); + + # Select previously configured update algorithm. + my %selected = (); + $selected{'DNS_UPDATE_ALGO_${inf}'}{$dhcpsettings{'DNS_UPDATE_ALGO_${inf}'}} = 'selected'; + +print <<END + <tr> + <td colspan='6'>&nbsp;</td> + </tr> + <tr> + <td colspan='6' class='boldbase'><b>$dhcpsettings{"DOMAIN_NAME_${itf}"}</b></td> + </tr> + <tr> + <td width='10%' class='boldbase'>$Lang::tr{'dhcp dns key name'}:</td> + <td width='20%'><input type='text' name='DNS_UPDATE_KEY_NAME_${itf}' value='$dhcpsettings{"DNS_UPDATE_KEY_NAME_${itf}"}'></td> + <td width='10%' class='boldbase' align='right'>$Lang::tr{'dhcp dns update secret'}:&nbsp;&nbsp;</td> + <td width='20%'><input type='password' name='DNS_UPDATE_KEY_SECRET_${itf}' value='$dhcpsettings{"DNS_UPDATE_KEY_SECRET_${itf}"}'></td> + <td width='10%' class='boldbase' align='right'>$Lang::tr{'dhcp dns update algo'}:&nbsp;&nbsp;</td> + <td width='20%'> + <select name='DNS_UPDATE_KEY_ALGO_${itf}'> + <!-- <option value='hmac-sha1' $selected{'DNS_UPDATE_KEY_ALGO_${itf}'}{'hmac-sha1'}>HMAC-SHA1</option> --> + <option value='hmac-md5' $selected{'DNS_UPDATE_KEY_ALGO_${itf}'}{'hmac-md5'}>HMAC-MD5</option> + </select> + </td> + </tr> +END +; + } + + # Store configured domain based on the interface + # in the temporary variable. + push(@domains, $dhcpsettings{"DOMAIN_NAME_${itf}"}); +} +print <<END +</table> +<hr> +<table width='100%'> + <tr> + <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> + </tr> +</table> </form> END ; @@ -1131,9 +1209,19 @@ sub buildconf { flock(FILE, 2);

# Global settings - print FILE "ddns-update-style none;\n"; print FILE "deny bootp; #default\n"; print FILE "authoritative;\n"; + + # DNS Update settings + if ($dhcpsettings{'DNS_UPDATE_ENABLED'} eq 'on') { + print FILE "ddns-updates on;\n"; + print FILE "ddns-update-style interim;\n"; + print FILE "ddns-ttl 60; # 1 min\n"; + print FILE "ignore client-updates;\n"; + print FILE "update-static-leases on;\n"; + } else { + print FILE "ddns-update-style none;\n"; + }

# Write first new option definition foreach my $line (@current1) { @@ -1162,12 +1250,13 @@ sub buildconf { } }# on }# foreach line + print FILE "\n";

#Subnet range definition foreach my $itf (@ITFs) { my $lc_itf=lc($itf); if ($dhcpsettings{"ENABLE_${itf}"} eq 'on' ){ - print FILE "\nsubnet " . $netsettings{"${itf}_NETADDRESS"} . " netmask ". $netsettings{"${itf}_NETMASK"} . " #$itf\n"; + print FILE "subnet " . $netsettings{"${itf}_NETADDRESS"} . " netmask ". $netsettings{"${itf}_NETMASK"} . " #$itf\n"; print FILE "{\n"; print FILE "\trange " . $dhcpsettings{"START_ADDR_${itf}"} . ' ' . $dhcpsettings{"END_ADDR_${itf}"}.";\n" if ($dhcpsettings{"START_ADDR_${itf}"}); print FILE "\toption subnet-mask " . $netsettings{"${itf}_NETMASK"} . ";\n"; @@ -1204,7 +1293,18 @@ sub buildconf { } }# on }# foreach line - print FILE "} #$itf\n"; + print FILE "} #$itf\n\n"; + + if (($dhcpsettings{"DNS_UPDATE_ENABLED"} eq "on") && ($dhcpsettings{"DNS_UPDATE_KEY_NAME_${itf}"} ne "")) { + print FILE "key " . $dhcpsettings{"DNS_UPDATE_KEY_NAME_${itf}"} . " {\n"; + print FILE "\talgorithm " . $dhcpsettings{"DNS_UPDATE_KEY_ALGO_${itf}"} . ";\n"; + print FILE "\tsecret "" . $dhcpsettings{"DNS_UPDATE_KEY_SECRET_${itf}"} . "";\n"; + print FILE "};\n\n"; + + print FILE "zone " . $dhcpsettings{"DOMAIN_NAME_${itf}"} . ". {\n"; + print FILE "\tkey " . $dhcpsettings{"DNS_UPDATE_KEY_NAME_${itf}"} . ";\n"; + print FILE "}\n\n"; + }

system ('/usr/bin/touch', "${General::swroot}/dhcp/enable_${lc_itf}"); &General::log("DHCP on ${itf}: " . $Lang::tr{'dhcp server enabled'}) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index c207ec7..8007182 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -31,6 +31,7 @@ no warnings 'uninitialized'; #use CGI::Carp 'fatalsToBrowser';

require '/var/ipfire/general-functions.pl'; +require '/var/ipfire/network-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/geoip-functions.pl"; @@ -465,6 +466,9 @@ sub checksource } } if ($fwdfwsettings{'isip'} eq 'on'){ + #remove leading zero + $ip = &Network::ip_remove_zero($ip); + ##check if ip is valid if (! &General::validip($ip)){ $errormessage.=$Lang::tr{'fwdfw err src_addr'}."<br>"; @@ -569,11 +573,15 @@ sub checktarget ($ip,$subnet)=split (///,$fwdfwsettings{'tgt_addr'}); $subnet = &General::iporsubtocidr($subnet); } + #check if only ip if($fwdfwsettings{'tgt_addr'}=~/^(\d{1,3}).(\d{1,3}).(\d{1,3}).(\d{1,3})$/){ $ip=$fwdfwsettings{'tgt_addr'}; $subnet='32'; } + #remove leading zero + $ip = &Network::ip_remove_zero($ip); + #check if ip is valid if (! &General::validip($ip)){ $errormessage.=$Lang::tr{'fwdfw err tgt_addr'}."<br>"; @@ -597,7 +605,7 @@ sub checktarget &General::readhasharray("$confighost", %customhost); foreach my $grpkey (sort keys %customgrp){ foreach my $hostkey (sort keys %customhost){ - if ($customgrp{$grpkey}[2] eq $customhost{$hostkey}[0] && $customhost{$hostkey}[1] eq 'mac'){ + if ($customgrp{$grpkey}[2] eq $customhost{$hostkey}[0] && $customgrp{$grpkey}[2] eq $fwdfwsettings{$fwdfwsettings{'grp2'}} && $customhost{$hostkey}[1] eq 'mac'){ $hint=$Lang::tr{'fwdfw hint mac'}; return $hint; } diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 994a50a..35afad3 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -27,6 +27,7 @@ use Sort::Naturally; use CGI::Carp 'fatalsToBrowser'; no warnings 'uninitialized'; require '/var/ipfire/general-functions.pl'; +require '/var/ipfire/network-functions.pl'; require "/var/ipfire/geoip-functions.pl"; require "/usr/lib/firewall/firewall-lib.pl"; require "${General::swroot}/lang.pl"; @@ -277,6 +278,9 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) &addnet; &viewtablenet; }else{ + #convert ip if leading '0' exists + $fwhostsettings{'IP'} = &Network::ip_remove_zero($fwhostsettings{'IP'}); + #check valid ip if (!&General::validipandmask($fwhostsettings{'IP'}."/".$fwhostsettings{'SUBNET'})) { @@ -372,9 +376,6 @@ if ($fwhostsettings{'ACTION'} eq 'savenet' ) foreach my $i (0 .. 3) { $customnetwork{$key}[$i] = "";} $fwhostsettings{'SUBNET'} = &General::iporsubtocidr($fwhostsettings{'SUBNET'}); $customnetwork{$key}[0] = $fwhostsettings{'HOSTNAME'}; - #convert ip when leading '0' in byte - $fwhostsettings{'IP'} =&General::ip2dec($fwhostsettings{'IP'}); - $fwhostsettings{'IP'} =&General::dec2ip($fwhostsettings{'IP'}); $customnetwork{$key}[1] = &General::getnetworkip($fwhostsettings{'IP'},$fwhostsettings{'SUBNET'}) ; $customnetwork{$key}[2] = &General::iporsubtodec($fwhostsettings{'SUBNET'}) ; $customnetwork{$key}[3] = $fwhostsettings{'NETREMARK'}; @@ -423,6 +424,9 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') } #CHECK IP-PART if ($fwhostsettings{'type'} eq 'ip'){ + #convert ip if leading '0' exists + $fwhostsettings{'IP'} = &Network::ip_remove_zero($fwhostsettings{'IP'}); + #check for subnet if (rindex($fwhostsettings{'IP'},'/') eq '-1' ){ if($fwhostsettings{'type'} eq 'ip' && !&General::validipandmask($fwhostsettings{'IP'}."/32")) @@ -503,9 +507,6 @@ if ($fwhostsettings{'ACTION'} eq 'savehost') $customhost{$key}[0] = $fwhostsettings{'HOSTNAME'} ; $customhost{$key}[1] = $fwhostsettings{'type'} ; if ($fwhostsettings{'type'} eq 'ip'){ - #convert ip when leading '0' in byte - $fwhostsettings{'IP'}=&General::ip2dec($fwhostsettings{'IP'}); - $fwhostsettings{'IP'}=&General::dec2ip($fwhostsettings{'IP'}); $customhost{$key}[2] = $fwhostsettings{'IP'}."/".&General::iporsubtodec($fwhostsettings{'SUBNET'}); }else{ $customhost{$key}[2] = $fwhostsettings{'IP'}; diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 5ada911..f17b16a 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -263,9 +263,9 @@ if (-e "/etc/snort/snort.conf") { ####################### End added for snort rules control #################################

if ($snortsettings{'RULES'} eq 'subscripted') { - $url=" https://www.snort.org/rules/snortrules-snapshot-2970.tar.gz?oinkcode=$snorts..."; + $url=" https://www.snort.org/rules/snortrules-snapshot-2976.tar.gz?oinkcode=$snorts..."; } elsif ($snortsettings{'RULES'} eq 'registered') { - $url=" https://www.snort.org/rules/snortrules-snapshot-2970.tar.gz?oinkcode=$snorts..."; + $url=" https://www.snort.org/rules/snortrules-snapshot-2976.tar.gz?oinkcode=$snorts..."; } elsif ($snortsettings{'RULES'} eq 'community') { $url=" https://www.snort.org/rules/community"; } else { diff --git a/html/cgi-bin/logs.cgi/firewalllogcountry.dat b/html/cgi-bin/logs.cgi/firewalllogcountry.dat index 29c0842..f998a62 100644 --- a/html/cgi-bin/logs.cgi/firewalllogcountry.dat +++ b/html/cgi-bin/logs.cgi/firewalllogcountry.dat @@ -456,7 +456,17 @@ for($s=0;$s<$lines;$s++) $color++; print "<tr>";

- print "<td align='center' $col><form method='post' action='showrequestfromcountry.dat'><input type='hidden' name='MONTH' value='$cgiparams{'MONTH'}'> <input type='hidden' name='DAY' value='$cgiparams{'DAY'}'> <input type='hidden' name='country' value='$key[$s]'> <input type='submit' value='details'></form></td>"; + print "<td align='center' $col>"; + + # Dont show details button for "unknown" location. + if ($key[$s] ne 'unknown') { + print"<form method='post' action='showrequestfromcountry.dat'>"; + print"<input type='hidden' name='MONTH' value='$cgiparams{'MONTH'}'>"; + print"<input type='hidden' name='DAY' value='$cgiparams{'DAY'}'>"; + print"<input type='hidden' name='country' value='$key[$s]'>"; + print"<input type='submit' value='details'></form>"; + } + if($key[$s] eq 'blue0' || $key[$s] eq 'green0' || $key[$s] eq 'orange0') { print "<td align='center' $col>$key[$s]</td>"; } diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi index be663a6..9cf14ca 100755 --- a/html/cgi-bin/mail.cgi +++ b/html/cgi-bin/mail.cgi @@ -110,9 +110,12 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}"){ #SaveButton on configsite $mail{'SENDER'} = $cgiparams{'txt_mailsender'}; $mail{'RECIPIENT'} = $cgiparams{'txt_recipient'};

- $auth{'AUTHNAME'} = $cgiparams{'txt_mailuser'}; - $auth{'AUTHPASS'} = $cgiparams{'txt_mailpass'}; - $auth{'AUTHHOST'} = $cgiparams{'txt_mailserver'}; + if ($cgiparams{'txt_mailuser'} && $cgiparams{'txt_mailpass'}) { + $auth{'AUTHNAME'} = $cgiparams{'txt_mailuser'}; + $auth{'AUTHPASS'} = $cgiparams{'txt_mailpass'}; + $auth{'AUTHHOST'} = $cgiparams{'txt_mailserver'}; + print TXT1 "$auth{'AUTHNAME'}|$auth{'AUTHHOST'}:$auth{'AUTHPASS'}\n"; + }

$dma{'SMARTHOST'} = $cgiparams{'txt_mailserver'}; $dma{'PORT'} = $cgiparams{'txt_mailport'}; @@ -129,7 +132,7 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}"){ #SaveButton on configsite print TXT "$k $v\n"; } close TXT; - print TXT1 "$auth{'AUTHNAME'}|$auth{'AUTHHOST'}:$auth{'AUTHPASS'}\n"; + close TXT1; close TXT2;

}else{ @@ -150,12 +153,15 @@ sub configsite{

#If update set fieldvalues new if($cgiparams{'update'} eq 'on'){ - $dma{'USEMAIL'}= 'on'; + $mail{'USEMAIL'} = 'on'; + $mail{'SENDER'} = $cgiparams{'txt_mailsender'}; + $mail{'RECIPIENT'} = $cgiparams{'txt_recipient'}; $dma{'SMARTHOST'} = $cgiparams{'txt_mailserver'}; $dma{'PORT'} = $cgiparams{'txt_mailport'}; - $auth{'AUTHUSER'} = $cgiparams{'txt_mailuser'}; + $auth{'AUTHNAME'} = $cgiparams{'txt_mailuser'}; $auth{'AUTHHOST'} = $cgiparams{'txt_mailserver'}; $auth{'AUTHPASS'} = $cgiparams{'txt_mailpass'}; + $dma{'STARTTLS'} = $cgiparams{'mail_tls'}; } #find preselections $checked{'usemail'}{$mail{'USEMAIL'}} = 'CHECKED'; @@ -232,7 +238,7 @@ END <td><input type='checkbox' name='mail_tls' $checked{'mail_tls'}{'on'}></td> </tr> END - if (! -z $dmafile && $mail{'USEMAIL'} eq 'on'){ + if (! -z $dmafile && $mail{'USEMAIL'} eq 'on' && !$errormessage){ print "<tr>"; print "<td></td>"; print "<td><input type='submit' name='ACTION' value='$Lang::tr{'email testmail'}'></td>"; @@ -328,18 +334,3 @@ sub error { &Header::closebox(); } } - - - - - - - - - - - - - - - diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9e252a9..62af54e 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -926,6 +926,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; print SERVERCONF "# Client Gateway Network\n"; print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n"; + print SERVERCONF "up "/etc/init.d/static-routes start"\n"; print SERVERCONF "# tun Device\n"; print SERVERCONF "dev tun\n"; print SERVERCONF "#Logfile for statistics\n"; @@ -1025,8 +1026,12 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; print CLIENTCONF "# Server Gateway Network\n"; print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; + print CLIENTCONF "up "/etc/init.d/static-routes start"\n"; print CLIENTCONF "# tun Device\n"; print CLIENTCONF "dev tun\n"; + print CLIENTCONF "#Logfile for statistics\n"; + print CLIENTCONF "status-version 1\n"; + print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n"; print CLIENTCONF "# Port and Protokol\n"; print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n";

@@ -2138,6 +2143,9 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; print CLIENTCONF "# tun Device\n"; print CLIENTCONF "dev tun\n"; + print CLIENTCONF "#Logfile for statistics\n"; + print CLIENTCONF "status-version 1\n"; + print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n"; print CLIENTCONF "# Port and Protokoll\n"; print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n";

@@ -2265,9 +2273,41 @@ else print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } + my $file_crt = new File::Temp( UNLINK => 1 ); + my $file_key = new File::Temp( UNLINK => 1 ); + my $include_certs = 0; + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + if ($cgiparams{'MODE'} eq 'insecure') { + $include_certs = 1; + + # Add the CA + print CLIENTCONF ";ca cacert.pem\r\n"; + $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; + + # Extract the certificate + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; + print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; + + # Extract the key + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; + print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + } else { + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + } } else { print CLIENTCONF "ca cacert.pem\r\n"; print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; @@ -2282,6 +2322,9 @@ else print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; } if ($vpnsettings{'TLSAUTH'} eq 'on') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } print CLIENTCONF "tls-auth ta.key\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; } @@ -2306,6 +2349,53 @@ else print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } } + + if ($include_certs) { + print CLIENTCONF "\r\n"; + + # CA + open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem"); + print CLIENTCONF "<ca>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</ca>\r\n\r\n"; + close(FILE); + + # Cert + open(FILE, "<$file_crt"); + print CLIENTCONF "<cert>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</cert>\r\n\r\n"; + close(FILE); + + # Key + open(FILE, "<$file_key"); + print CLIENTCONF "<key>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</key>\r\n\r\n"; + close(FILE); + + # TLS auth + if ($vpnsettings{'TLSAUTH'} eq 'on') { + open(FILE, "<${General::swroot}/ovpn/certs/ta.key"); + print CLIENTCONF "<tls-auth>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</tls-auth>\r\n\r\n"; + close(FILE); + } + } + # Print client.conf.local if entries exist to client.ovpn if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { open (LCC, "$local_clientconf"); @@ -4251,6 +4341,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'};

+ if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash); if ($cgiparams{'CHECK1'} ){ @@ -5127,7 +5221,7 @@ END <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th> + <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END } @@ -5141,7 +5235,7 @@ END <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th> + <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END } @@ -5240,6 +5334,21 @@ END </td></form> END ; + + if ($confighash{$key}[41] eq "no-pass") { + print <<END; + <form method='post' name='frm${key}g'><td align='center' $col> + <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png' + alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /> + <input type='hidden' name='MODE' value='insecure' /> + <input type='hidden' name='KEY' value='$key' /> + </td></form> +END + } else { + print "<td $col>&nbsp;</td>"; + } + if ($confighash{$key}[4] eq 'cert') { print <<END; <form method='post' name='frm${key}b'><td align='center' $col> diff --git a/html/cgi-bin/pppsetup.cgi b/html/cgi-bin/pppsetup.cgi index b3e8e6c..36d0ced 100644 --- a/html/cgi-bin/pppsetup.cgi +++ b/html/cgi-bin/pppsetup.cgi @@ -980,12 +980,14 @@ print <<END <td colspan='2' width='50%'>$Lang::tr{'legend'}:</td> <td colspan='2' width='50%'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td> </tr> -</table> END ; -&Header::closebox(); }

+print "</table>"; + +&Header::closebox(); + print "</form>\n";

&Header::closebigbox(); diff --git a/html/cgi-bin/routing.cgi b/html/cgi-bin/routing.cgi index c460a74..2c60f67 100644 --- a/html/cgi-bin/routing.cgi +++ b/html/cgi-bin/routing.cgi @@ -118,12 +118,16 @@ if ($settings{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { }

if ($settings{'ACTION'} eq $Lang::tr{'add'}) { - # Convert subnet masks to CIDR notation. - $settings{'IP'} = &General::iporsubtocidr($settings{'IP'});

-# Validate inputs - if (( !&General::validip($settings{'IP'})) and ( !&General::validipandmask($settings{'IP'}))){ + # Validate inputs + if (!&General::validipandmask($settings{'IP'}))){ $errormessage = $Lang::tr{'invalid ip'}." / ".$Lang::tr{'invalid netmask'}; + }else{ + #set networkip if not already correctly defined + my($ip,$cidr) = split(///,$settings{'IP'}); + $cidr = &General::iporsubtocidr($cidr); + my $netip=&General::getnetworkip($ip,$cidr); + $settings{'IP'} = "$netip/$cidr"; }

if ($settings{'IP'} =~ /^0.0.0.0/){ diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 91f4b45..193e405 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -27,6 +27,7 @@ use warnings; use CGI::Carp 'fatalsToBrowser';

require '/var/ipfire/general-functions.pl'; +require "${General::swroot}/geoip-functions.pl"; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl";

@@ -619,10 +620,14 @@ END END

if (exists($node->{'country_code'})) { - if (!$node->{'country_code'} or $node->{'country_code'} eq '??') { - print "<img src='/images/flags/blank.png' border='0' align='absmiddle'/>"; + # Get the flag icon of the country. + my $flag_icon = &GeoIP::get_flag_icon($node->{'country_code'}); + + # Check if a flag for the given country is available. + if ($flag_icon) { + print "<a href='country.cgi#$node->{'country_code'}'><img src='$flag_icon' border='0' align='absmiddle' alt='$node->{'country_code'}'></a>"; } else { - print "<a href='country.cgi#$node->{'country_code'}'><img src='/images/flags/$node->{'country_code'}.png' border='0' align='absmiddle' alt='$node->{'country_code'}'></a>"; + print "<img src='/images/flags/blank.png' border='0' align='absmiddle'/>"; } }

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 65fc80f..f1cffb8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -40,8 +40,7 @@ undef (@dummy); ### ### Initialize variables ### -my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status - # (let the ipsec do its job) +my $sleepDelay = 4; # after a call to ipsecctrl S or R, wait this delay (seconds) before reading status (let the ipsec do its job) my %netsettings=(); our %cgiparams=(); our %vpnsettings=(); @@ -132,306 +131,300 @@ sub valid_dns_host { ### Just return true is one interface is vpn enabled ### sub vpnenabled { - return ($vpnsettings{'ENABLED'} eq 'on'); + return ($vpnsettings{'ENABLED'} eq 'on'); } ### -### old version: maintain serial number to one, without explication. -### this : let the counter go, so that each cert is numbered. +### old version: maintain serial number to one, without explication. +### this: let the counter go, so that each cert is numbered. ### -sub cleanssldatabase -{ - if (open(FILE, ">${General::swroot}/certs/serial")) { - print FILE "01"; - close FILE; - } - if (open(FILE, ">${General::swroot}/certs/index.txt")) { - print FILE ""; - close FILE; - } - unlink ("${General::swroot}/certs/index.txt.old"); - unlink ("${General::swroot}/certs/serial.old"); - unlink ("${General::swroot}/certs/01.pem"); +sub cleanssldatabase { + if (open(FILE, ">${General::swroot}/certs/serial")) { + print FILE "01"; + close FILE; + } + if (open(FILE, ">${General::swroot}/certs/index.txt")) { + print FILE ""; + close FILE; + } + unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/serial.old"); + unlink ("${General::swroot}/certs/01.pem"); } -sub newcleanssldatabase -{ - if (! -s "${General::swroot}/certs/serial" ) { - open(FILE, ">${General::swroot}/certs/serial"); - print FILE "01"; - close FILE; - } - if (! -s ">${General::swroot}/certs/index.txt") { - system ("touch ${General::swroot}/certs/index.txt"); - } - unlink ("${General::swroot}/certs/index.txt.old"); - unlink ("${General::swroot}/certs/serial.old"); -# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete +sub newcleanssldatabase { + if (! -s "${General::swroot}/certs/serial" ) { + open(FILE, ">${General::swroot}/certs/serial"); + print FILE "01"; + close FILE; + } + if (! -s ">${General::swroot}/certs/index.txt") { + system ("touch ${General::swroot}/certs/index.txt"); + } + unlink ("${General::swroot}/certs/index.txt.old"); + unlink ("${General::swroot}/certs/serial.old"); +# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete }

### ### Call openssl and return errormessage if any ### sub callssl ($) { - my $opt = shift; - my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr - my $ret = ''; - foreach my $line (split (/\n/, $retssl)) { - &General::log("ipsec", "$line") if (0); # 1 for verbose logging - $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); - } - if ($ret) { - $ret= &Header::cleanhtml($ret); - } - return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ; + my $opt = shift; + my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr + my $ret = ''; + foreach my $line (split (/\n/, $retssl)) { + &General::log("ipsec", "$line") if (0); # 1 for verbose logging + $ret .= '<br>'.$line if ( $line =~ /error|unknown/ ); + } + if ($ret) { + $ret= &Header::cleanhtml($ret); + } + return $ret ? "$Lang::tr{'openssl produced an error'}: $ret" : '' ; } ### ### Obtain a CN from given cert ### sub getCNfromcert ($) { - #&General::log("ipsec", "Extracting name from $_[0]..."); - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject:.*CN=(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - $temp =~ s/,//g; - $temp =~ s/'//g; - return $temp; + #&General::log("ipsec", "Extracting name from $_[0]..."); + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; + $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + $temp =~ s/,//g; + $temp =~ s/'//g; + return $temp; } ### ### Obtain Subject from given cert ### sub getsubjectfromcert ($) { - #&General::log("ipsec", "Extracting subject from $_[0]..."); - my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =~ /Subject: (.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - return $temp; + #&General::log("ipsec", "Extracting subject from $_[0]..."); + my $temp = `/usr/bin/openssl x509 -text -in $_[0]`; + $temp =~ /Subject: (.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + return $temp; } ### -### Combine local subnet and connection name to make a unique name for each connection section +### Combine local subnet and connection name to make a unique name for each connection section ### (this sub is not used now) ### sub makeconnname ($) { - my $conn = shift; - my $subnet = shift; - - $subnet =~ /^(.*?)/(.*?)$/; # $1=IP $2=mask - my $ip = unpack('N', &Socket::inet_aton($1)); - if (length ($2) > 2) { - my $mm = unpack('N', &Socket::inet_aton($2)); - while ( ($mm & 1)==0 ) { - $ip >>= 1; - $mm >>= 1; - }; - } else { - $ip >>= (32 - $2); - } - return sprintf ("%s-%X", $conn, $ip); + my $conn = shift; + my $subnet = shift; + + $subnet =~ /^(.*?)/(.*?)$/; # $1=IP $2=mask + my $ip = unpack('N', &Socket::inet_aton($1)); + if (length ($2) > 2) { + my $mm = unpack('N', &Socket::inet_aton($2)); + while ( ($mm & 1)==0 ) { + $ip >>= 1; + $mm >>= 1; + }; + } else { + $ip >>= (32 - $2); + } + return sprintf ("%s-%X", $conn, $ip); } ### ### Write a config file. ### ###Type=Host : GUI can choose the interface used (RED,GREEN,BLUE) and ### the side is always defined as 'left'. -### configihash[14]: 'VHOST' is allowed ###

sub writeipsecfiles { - my %lconfighash = (); - my %lvpnsettings = (); - &General::readhasharray("${General::swroot}/vpn/config", %lconfighash); - &General::readhash("${General::swroot}/vpn/settings", %lvpnsettings); - - open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; - open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; - flock CONF, 2; - flock SECRETS, 2; - print CONF "version 2\n\n"; - print CONF "conn %default\n"; - print CONF "\tkeyingtries=%forever\n"; - print CONF "\n"; - - # Add user includes to config file - if (-e "/etc/ipsec.user.conf") { - print CONF "include /etc/ipsec.user.conf\n"; - print CONF "\n"; - } - - print SECRETS "include /etc/ipsec.user.secrets\n"; - - if (-f "${General::swroot}/certs/hostkey.pem") { - print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n" - } - my $last_secrets = ''; # old the less specifics connections - - foreach my $key (keys %lconfighash) { - next if ($lconfighash{$key}[0] ne 'on'); - - #remote peer is not set? => use '%any' - $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq ''); - - my $localside; - if ($lconfighash{$key}[26] eq 'BLUE') { - $localside = $netsettings{'BLUE_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'GREEN') { - $localside = $netsettings{'GREEN_ADDRESS'}; - } elsif ($lconfighash{$key}[26] eq 'ORANGE') { - $localside = $netsettings{'ORANGE_ADDRESS'}; - } else { # it is RED - $localside = $lvpnsettings{'VPN_IP'}; - } - - print CONF "conn $lconfighash{$key}[1]\n"; - print CONF "\tleft=$localside\n"; - my $cidr_net=&General::ipcidr($lconfighash{$key}[8]); - print CONF "\tleftsubnet=$cidr_net\n"; - print CONF "\tleftfirewall=yes\n"; - print CONF "\tlefthostaccess=yes\n"; - - print CONF "\tright=$lconfighash{$key}[10]\n"; - if ($lconfighash{$key}[3] eq 'net') { - my $cidr_net=&General::ipcidr($lconfighash{$key}[11]); - print CONF "\trightsubnet=$cidr_net\n"; - } elsif ($lconfighash{$key}[10] eq '%any' && $lconfighash{$key}[14] eq 'on') { #vhost allowed for roadwarriors? - print CONF "\trightsubnet=vhost:%no,%priv\n"; - } - - # Local Cert and Remote Cert (unless auth is DN dn-auth) - if ($lconfighash{$key}[4] eq 'cert') { - print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; - print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); - } - - # Local and Remote IDs - print CONF "\tleftid="$lconfighash{$key}[7]"\n" if ($lconfighash{$key}[7]); - print CONF "\trightid="$lconfighash{$key}[9]"\n" if ($lconfighash{$key}[9]); - - # Is PFS enabled? - my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off'; - - # Algorithms - if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { - my @encs = split('|', $lconfighash{$key}[18]); - my @ints = split('|', $lconfighash{$key}[19]); - my @groups = split('|', $lconfighash{$key}[20]); - - my @algos = &make_algos("ike", @encs, @ints, @groups, 1); - print CONF "\tike=" . join(",", @algos); - - if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; - } + my %lconfighash = (); + my %lvpnsettings = (); + &General::readhasharray("${General::swroot}/vpn/config", %lconfighash); + &General::readhash("${General::swroot}/vpn/settings", %lvpnsettings); + + open(CONF, ">${General::swroot}/vpn/ipsec.conf") or die "Unable to open ${General::swroot}/vpn/ipsec.conf: $!"; + open(SECRETS, ">${General::swroot}/vpn/ipsec.secrets") or die "Unable to open ${General::swroot}/vpn/ipsec.secrets: $!"; + flock CONF, 2; + flock SECRETS, 2; + print CONF "version 2\n\n"; + print CONF "conn %default\n"; + print CONF "\tkeyingtries=%forever\n"; + print CONF "\n"; + + # Add user includes to config file + if (-e "/etc/ipsec.user.conf") { + print CONF "include /etc/ipsec.user.conf\n"; + print CONF "\n"; }

- if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { - my @encs = split('|', $lconfighash{$key}[21]); - my @ints = split('|', $lconfighash{$key}[22]); - my @groups = split('|', $lconfighash{$key}[23]); + print SECRETS "include /etc/ipsec.user.secrets\n"; + + if (-f "${General::swroot}/certs/hostkey.pem") { + print SECRETS ": RSA ${General::swroot}/certs/hostkey.pem\n" + } + my $last_secrets = ''; # old the less specifics connections

- # Use IKE grouptype if no ESP group type has been selected - # (for backwards compatibility) - if ($lconfighash{$key}[23] eq "") { - @groups = split('|', $lconfighash{$key}[20]); + foreach my $key (keys %lconfighash) { + next if ($lconfighash{$key}[0] ne 'on'); + + #remote peer is not set? => use '%any' + $lconfighash{$key}[10] = '%any' if ($lconfighash{$key}[10] eq ''); + + my $localside; + if ($lconfighash{$key}[26] eq 'BLUE') { + $localside = $netsettings{'BLUE_ADDRESS'}; + } elsif ($lconfighash{$key}[26] eq 'GREEN') { + $localside = $netsettings{'GREEN_ADDRESS'}; + } elsif ($lconfighash{$key}[26] eq 'ORANGE') { + $localside = $netsettings{'ORANGE_ADDRESS'}; + } else { # it is RED + $localside = $lvpnsettings{'VPN_IP'}; }

- my @algos = &make_algos("esp", @encs, @ints, @groups, ($pfs eq "on")); - print CONF "\tesp=" . join(",", @algos); + print CONF "conn $lconfighash{$key}[1]\n"; + print CONF "\tleft=$localside\n"; + print CONF "\tleftsubnet=" . &make_subnets($lconfighash{$key}[8]) . "\n"; + print CONF "\tleftfirewall=yes\n"; + print CONF "\tlefthostaccess=yes\n"; + print CONF "\tright=$lconfighash{$key}[10]\n";

- if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? - print CONF "!\n"; - } else { - print CONF "\n"; + if ($lconfighash{$key}[3] eq 'net') { + print CONF "\trightsubnet=" . &make_subnets($lconfighash{$key}[11]) . "\n"; } - }

- # IKE V1 or V2 - if (! $lconfighash{$key}[29]) { - $lconfighash{$key}[29] = "ikev1"; - } - print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; + # Local Cert and Remote Cert (unless auth is DN dn-auth) + if ($lconfighash{$key}[4] eq 'cert') { + print CONF "\tleftcert=${General::swroot}/certs/hostcert.pem\n"; + print CONF "\trightcert=${General::swroot}/certs/$lconfighash{$key}[1]cert.pem\n" if ($lconfighash{$key}[2] ne '%auth-dn'); + }

- # Lifetimes - print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]); - print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]); + # Local and Remote IDs + print CONF "\tleftid="$lconfighash{$key}[7]"\n" if ($lconfighash{$key}[7]); + print CONF "\trightid="$lconfighash{$key}[9]"\n" if ($lconfighash{$key}[9]);

- # Compression - print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); + # Is PFS enabled? + my $pfs = $lconfighash{$key}[28] eq 'on' ? 'on' : 'off';

- # Force MOBIKE? - if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) { - print CONF "\tmobike=yes\n"; - } + # Algorithms + if ($lconfighash{$key}[18] && $lconfighash{$key}[19] && $lconfighash{$key}[20]) { + my @encs = split('|', $lconfighash{$key}[18]); + my @ints = split('|', $lconfighash{$key}[19]); + my @groups = split('|', $lconfighash{$key}[20]);

- # Dead Peer Detection - my $dpdaction = $lconfighash{$key}[27]; - print CONF "\tdpdaction=$dpdaction\n"; + my @algos = &make_algos("ike", @encs, @ints, @groups, 1); + print CONF "\tike=" . join(",", @algos);

- # If the dead peer detection is disabled and IKEv2 is used, - # dpddelay must be set to zero, too. - if ($dpdaction eq "none") { - if ($lconfighash{$key}[29] eq "ikev2") { - print CONF "\tdpddelay=0\n"; + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; + } } - } else { - my $dpddelay = $lconfighash{$key}[31]; - if (!$dpddelay) { - $dpddelay = 30; - } - print CONF "\tdpddelay=$dpddelay\n"; - my $dpdtimeout = $lconfighash{$key}[30]; - if (!$dpdtimeout) { - $dpdtimeout = 120; - } - print CONF "\tdpdtimeout=$dpdtimeout\n"; - } - - # Build Authentication details: LEFTid RIGHTid : PSK psk - my $psk_line; - if ($lconfighash{$key}[4] eq 'psk') { - $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; - $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? - $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; - # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. - if ($psk_line =~ /%any/) { - $last_secrets .= $psk_line; - } else { - print SECRETS $psk_line; - } - print CONF "\tauthby=secret\n"; - } else { - print CONF "\tauthby=rsasig\n"; - print CONF "\tleftrsasigkey=%cert\n"; - print CONF "\trightrsasigkey=%cert\n"; - }

- # Automatically start only if a net-to-net connection - if ($lconfighash{$key}[3] eq 'host') { - print CONF "\tauto=add\n"; - print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; - } else { - print CONF "\tauto=start\n"; - } + if ($lconfighash{$key}[21] && $lconfighash{$key}[22]) { + my @encs = split('|', $lconfighash{$key}[21]); + my @ints = split('|', $lconfighash{$key}[22]); + my @groups = split('|', $lconfighash{$key}[23]); + + # Use IKE grouptype if no ESP group type has been selected + # (for backwards compatibility) + if ($lconfighash{$key}[23] eq "") { + @groups = split('|', $lconfighash{$key}[20]); + }

- # Fragmentation - print CONF "\tfragmentation=yes\n"; + my @algos = &make_algos("esp", @encs, @ints, @groups, ($pfs eq "on")); + print CONF "\tesp=" . join(",", @algos);

- print CONF "\n"; - }#foreach key - - # Add post user includes to config file - # After the GUI-connections allows to patch connections. - if (-e "/etc/ipsec.user-post.conf") { - print CONF "include /etc/ipsec.user-post.conf\n"; - print CONF "\n"; - } - - print SECRETS $last_secrets if ($last_secrets); - close(CONF); - close(SECRETS); + if ($lconfighash{$key}[24] eq 'on') { #only proposed algorythms? + print CONF "!\n"; + } else { + print CONF "\n"; + } + } + + # IKE V1 or V2 + if (! $lconfighash{$key}[29]) { + $lconfighash{$key}[29] = "ikev1"; + } + + print CONF "\tkeyexchange=$lconfighash{$key}[29]\n"; + + # Lifetimes + print CONF "\tikelifetime=$lconfighash{$key}[16]h\n" if ($lconfighash{$key}[16]); + print CONF "\tkeylife=$lconfighash{$key}[17]h\n" if ($lconfighash{$key}[17]); + + # Compression + print CONF "\tcompress=yes\n" if ($lconfighash{$key}[13] eq 'on'); + + # Force MOBIKE? + if (($lconfighash{$key}[29] eq "ikev2") && ($lconfighash{$key}[32] eq 'on')) { + print CONF "\tmobike=yes\n"; + } + + # Dead Peer Detection + my $dpdaction = $lconfighash{$key}[27]; + print CONF "\tdpdaction=$dpdaction\n"; + + # If the dead peer detection is disabled and IKEv2 is used, + # dpddelay must be set to zero, too. + if ($dpdaction eq "none") { + if ($lconfighash{$key}[29] eq "ikev2") { + print CONF "\tdpddelay=0\n"; + } + } else { + my $dpddelay = $lconfighash{$key}[31]; + if (!$dpddelay) { + $dpddelay = 30; + } + print CONF "\tdpddelay=$dpddelay\n"; + my $dpdtimeout = $lconfighash{$key}[30]; + if (!$dpdtimeout) { + $dpdtimeout = 120; + } + print CONF "\tdpdtimeout=$dpdtimeout\n"; + } + + # Build Authentication details: LEFTid RIGHTid : PSK psk + my $psk_line; + if ($lconfighash{$key}[4] eq 'psk') { + $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; + $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? + $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; + # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. + if ($psk_line =~ /%any/) { + $last_secrets .= $psk_line; + } else { + print SECRETS $psk_line; + } + print CONF "\tauthby=secret\n"; + } else { + print CONF "\tauthby=rsasig\n"; + print CONF "\tleftrsasigkey=%cert\n"; + print CONF "\trightrsasigkey=%cert\n"; + } + + # Automatically start only if a net-to-net connection + if ($lconfighash{$key}[3] eq 'host') { + print CONF "\tauto=add\n"; + print CONF "\trightsourceip=$lvpnsettings{'RW_NET'}\n"; + } else { + print CONF "\tauto=start\n"; + } + + # Fragmentation + print CONF "\tfragmentation=yes\n"; + + print CONF "\n"; + } #foreach key + + # Add post user includes to config file + # After the GUI-connections allows to patch connections. + if (-e "/etc/ipsec.user-post.conf") { + print CONF "include /etc/ipsec.user-post.conf\n"; + print CONF "\n"; + } + + print SECRETS $last_secrets if ($last_secrets); + close(CONF); + close(SECRETS); }

# Hook to regenerate the configuration files. @@ -444,779 +437,779 @@ if ($ENV{"REMOTE_ADDR"} eq "") { ### Save main settings ### if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'}) - || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { - $errormessage = $Lang::tr{'invalid input for hostname'}; - goto SAVE_ERROR; - } - - unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds ! - $errormessage = $Lang::tr{'invalid time period'}; - goto SAVE_ERROR; - } - - if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { - $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; - goto SAVE_ERROR; - } - - $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; - $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; - $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; - $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; - &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); - &writeipsecfiles(); - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S'); - } else { - system('/usr/local/bin/ipsecctrl', 'D'); - } - sleep $sleepDelay; - SAVE_ERROR: + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + + unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'}) + || $cgiparams{'VPN_IP'} eq '%defaultroute' ) { + $errormessage = $Lang::tr{'invalid input for hostname'}; + goto SAVE_ERROR; + } + + unless ($cgiparams{'VPN_DELAYED_START'} =~ /^[0-9]{1,3}$/ ) { #allow 0-999 seconds ! + $errormessage = $Lang::tr{'invalid time period'}; + goto SAVE_ERROR; + } + + if ( $cgiparams{'RW_NET'} ne '' and !&General::validipandmask($cgiparams{'RW_NET'}) ) { + $errormessage = $Lang::tr{'urlfilter invalid ip or mask error'}; + goto SAVE_ERROR; + } + + $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; + $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'}; + $vpnsettings{'VPN_DELAYED_START'} = $cgiparams{'VPN_DELAYED_START'}; + $vpnsettings{'RW_NET'} = $cgiparams{'RW_NET'}; + &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); + &writeipsecfiles(); + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S'); + } else { + system('/usr/local/bin/ipsecctrl', 'D'); + } + sleep $sleepDelay; + SAVE_ERROR: ### ### Reset all step 2 ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - foreach my $key (keys %confighash) { - if ($confighash{$key}[4] eq 'cert') { - delete $confighash{$key}; - } - } - while (my $file = glob("${General::swroot}/{ca,certs,crls,private}/*")) { - unlink $file - } - &cleanssldatabase(); - if (open(FILE, ">${General::swroot}/vpn/caconfig")) { - print FILE ""; - close FILE; - } - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + + foreach my $key (keys %confighash) { + if ($confighash{$key}[4] eq 'cert') { + delete $confighash{$key}; + } + } + while (my $file = glob("${General::swroot}/{ca,certs,crls,private}/*")) { + unlink $file + } + &cleanssldatabase(); + if (open(FILE, ">${General::swroot}/vpn/caconfig")) { + print FILE ""; + close FILE; + } + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay;

### ### Reset all step 1 ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); - print <<END + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); + print <<END <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%'> - <tr> - <td align='center'> - <input type='hidden' name='AREUSURE' value='yes' /> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: - $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td> - </tr><tr> - <td align='center'> - <input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /> + <table width='100%'> + <tr> + <td align='center'> + <input type='hidden' name='AREUSURE' value='yes' /> + <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:&nbsp;$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'} + </td> + </tr><tr> + <td align='center'> + <input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /> <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td> - </tr> - </table> + </tr> + </table> </form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit (0); +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit (0);

### ### Upload CA Certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; - goto UPLOADCA_ERROR; - } - - if (length($cgiparams{'CA_NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - - if ($cgiparams{'CA_NAME'} eq 'ca') { - $errormessage = $Lang::tr{'name is invalid'}; - goto UPLOAD_CA_ERROR; - } - - # Check if there is no other entry with this name - foreach my $key (keys %cahash) { - if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { - $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; - goto UPLOADCA_ERROR; - } - } - - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto UPLOADCA_ERROR; - } - # Move uploaded ca to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto UPLOADCA_ERROR; - } - my $temp = `/usr/bin/openssl x509 -text -in $filename`; - if ($temp !~ /CA:TRUE/i) { - $errormessage = $Lang::tr{'not a valid ca certificate'}; - unlink ($filename); - goto UPLOADCA_ERROR; - } else { - move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } - } - - my $key = &General::findhasharraykey (%cahash); - $cahash{$key}[0] = $cgiparams{'CA_NAME'}; - $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); - &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); - - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; - - UPLOADCA_ERROR: + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { + $errormessage = $Lang::tr{'name must only contain characters'}; + goto UPLOADCA_ERROR; + } + + if (length($cgiparams{'CA_NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'CA_NAME'} eq 'ca') { + $errormessage = $Lang::tr{'name is invalid'}; + goto UPLOAD_CA_ERROR; + } + + # Check if there is no other entry with this name + foreach my $key (keys %cahash) { + if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { + $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; + goto UPLOADCA_ERROR; + } + } + + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto UPLOADCA_ERROR; + } + # Move uploaded ca to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto UPLOADCA_ERROR; + } + my $temp = `/usr/bin/openssl x509 -text -in $filename`; + if ($temp !~ /CA:TRUE/i) { + $errormessage = $Lang::tr{'not a valid ca certificate'}; + unlink ($filename); + goto UPLOADCA_ERROR; + } else { + move($filename, "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } + } + + my $key = &General::findhasharraykey (%cahash); + $cahash{$key}[0] = $cgiparams{'CA_NAME'}; + $cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem")); + &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); + + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay; + + UPLOADCA_ERROR:

### ### Display ca certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } else { + $errormessage = $Lang::tr{'invalid key'}; + }

### ### Export ca certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { - print "Content-Type: application/force-download\n"; - print "Content-Type: application/octet-stream\r\n"; - print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - exit(0); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { + print "Content-Type: application/force-download\n"; + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; + print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + exit(0); + } else { + $errormessage = $Lang::tr{'invalid key'}; + }

### ### Remove ca certificate (step 2) ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { - foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { - # Delete connection - system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); - unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); - unlink ("${General::swroot}/certs/$confighash{$key}[1].p12"); - delete $confighash{$key}; - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); - } + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { + foreach my $key (keys %confighash) { + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; + if ($test =~ /: OK/) { + # Delete connection + system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled); + unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem"); + unlink ("${General::swroot}/certs/$confighash{$key}[1].p12"); + delete $confighash{$key}; + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + } + } + unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + delete $cahash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay; + } else { + $errormessage = $Lang::tr{'invalid key'}; } - unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); - delete $cahash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; - } else { - $errormessage = $Lang::tr{'invalid key'}; - } ### ### Remove ca certificate (step 1) ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - - my $assignedcerts = 0; - if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { - foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { - $assignedcerts++; - } - } - if ($assignedcerts) { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); - print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%'> - <tr> - <td align='center'> - <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> - <input type='hidden' name='AREUSURE' value='yes' /></td> - </tr><tr> - <td align='center'> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b> - $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}</td> - </tr><tr> - <td align='center'> - <input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> - <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td> - </tr> - </table> - </form> + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + + my $assignedcerts = 0; + if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { + foreach my $key (keys %confighash) { + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`; + if ($test =~ /: OK/) { + $assignedcerts++; + } + } + if ($assignedcerts) { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); + print <<END + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%'> + <tr> + <td align='center'> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + <input type='hidden' name='AREUSURE' value='yes' /></td> + </tr><tr> + <td align='center'> + <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>&nbsp;$Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}</td> + </tr><tr> + <td align='center'> + <input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> + <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td> + </tr> + </table> + </form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit (0); +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit (0); + } else { + unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + delete $cahash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); + system('/usr/local/bin/ipsecctrl', 'R'); + sleep $sleepDelay; + } } else { - unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); - delete $cahash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); - system('/usr/local/bin/ipsecctrl', 'R'); - sleep $sleepDelay; + $errormessage = $Lang::tr{'invalid key'}; } - } else { - $errormessage = $Lang::tr{'invalid key'}; - }

### ### Display root certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - my $output; - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { - &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`; - } else { - &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`; - } - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + my $output; + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { + &Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`; + } else { + &Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`; + } + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0);

### ### Export root certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) { - if ( -f "${General::swroot}/ca/cacert.pem" ) { - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`; - exit(0); - } + if ( -f "${General::swroot}/ca/cacert.pem" ) { + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n"; + print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`; + exit(0); + } ### ### Export host certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) { - if ( -f "${General::swroot}/certs/hostcert.pem" ) { - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`; - exit(0); - } + if ( -f "${General::swroot}/certs/hostcert.pem" ) { + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n"; + print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`; + exit(0); + } ### ### Form for generating/importing the caroot+host certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} || - $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { - - if (-f "${General::swroot}/ca/cacert.pem") { - $errormessage = $Lang::tr{'valid root certificate already exists'}; - goto ROOTCERT_SKIP; - } - - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - # fill in initial values - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { - if (-e "${General::swroot}/red/active" && open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = <IPADDR>; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { - $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; - } - } - $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { - &General::log("ipsec", "Importing from p12..."); + $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { + + if (-f "${General::swroot}/ca/cacert.pem") { + $errormessage = $Lang::tr{'valid root certificate already exists'}; + goto ROOTCERT_SKIP; + } + + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + # fill in initial values + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { + if (-e "${General::swroot}/red/active" && open(IPADDR, "${General::swroot}/red/local-ipaddress")) { + my $ipaddr = <IPADDR>; + close IPADDR; + chomp ($ipaddr); + $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') { + $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr; + } + } + $cgiparams{'ROOTCERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'} if (!$cgiparams{'ROOTCERT_COUNTRY'}); + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { + &General::log("ipsec", "Importing from p12...");

- if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto ROOTCERT_ERROR; - } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto ROOTCERT_ERROR; + }

- # Move uploaded certificate request to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto ROOTCERT_ERROR; - } + # Move uploaded certificate request to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto ROOTCERT_ERROR; + }

- # Extract the CA certificate from the file - &General::log("ipsec", "Extracting caroot from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newcacert"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - - # Extract the Host certificate from the file - if (!$errormessage) { - &General::log("ipsec", "Extracting host cert from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newhostcert"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - } - - # Extract the Host key from the file - if (!$errormessage) { - &General::log("ipsec", "Extracting private key from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -nocerts -nodes"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newhostkey"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - } - - if (!$errormessage) { - &General::log("ipsec", "Moving cacert..."); - move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } - - if (!$errormessage) { - &General::log("ipsec", "Moving host cert..."); - move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } - - if (!$errormessage) { - &General::log("ipsec", "Moving private key..."); - move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } - - #cleanup temp files - unlink ($filename); - unlink ('/tmp/newcacert'); - unlink ('/tmp/newhostcert'); - unlink ('/tmp/newhostkey'); - if ($errormessage) { - unlink ("${General::swroot}/ca/cacert.pem"); - unlink ("${General::swroot}/certs/hostcert.pem"); - unlink ("${General::swroot}/certs/hostkey.pem"); - goto ROOTCERT_ERROR; - } + # Extract the CA certificate from the file + &General::log("ipsec", "Extracting caroot from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -cacerts -nokeys"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newcacert"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + }

- # Create empty CRL cannot be done because we don't have - # the private key for this CAROOT - # IPFire can only import certificates + # Extract the Host certificate from the file + if (!$errormessage) { + &General::log("ipsec", "Extracting host cert from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -clcerts -nokeys"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newhostcert"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + } + }

- &General::log("ipsec", "p12 import completed!"); - &cleanssldatabase(); - goto ROOTCERT_SUCCESS; - - } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { - - # Validate input since the form was submitted - if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ - $errormessage = $Lang::tr{'organization cant be empty'}; - goto ROOTCERT_ERROR; - } - if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) { - $errormessage = $Lang::tr{'organization too long'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for organization'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ - $errormessage = $Lang::tr{'hostname cant be empty'}; - goto ROOTCERT_ERROR; - } - unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { - $errormessage = $Lang::tr{'invalid input for hostname'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { - $errormessage = $Lang::tr{'invalid input for e-mail address'}; - goto ROOTCERT_ERROR; - } - if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { - $errormessage = $Lang::tr{'e-mail address too long'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for department'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for city'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for state or province'}; - goto ROOTCERT_ERROR; - } - if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { - $errormessage = $Lang::tr{'invalid input for country'}; - goto ROOTCERT_ERROR; - } - #the exact syntax is a list comma separated of - # email:any-validemail - # URI: a uniform resource indicator - # DNS: a DNS domain name - # RID: a registered OBJECT IDENTIFIER - # IP: an IP address - # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com - - if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { - $errormessage = $Lang::tr{'vpn altname syntax'}; - goto VPNCONF_ERROR; - } - - # Copy the cgisettings to vpnsettings and save the configfile - $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'}; - $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'}; - $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'}; - $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'}; - $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'}; - $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'}; - $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'}; - &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); + # Extract the Host key from the file + if (!$errormessage) { + &General::log("ipsec", "Extracting private key from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -nocerts -nodes"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newhostkey"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + } + }

- # Replace empty strings with a . - (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/./; - (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/./; - (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/./; - - # Create the CA certificate - if (!$errormessage) { - &General::log("ipsec", "Creating cacert..."); - if (open(STDIN, "-|")) { - my $opt = " req -x509 -sha256 -nodes"; - $opt .= " -days 999999"; - $opt .= " -newkey rsa:4096"; - $opt .= " -keyout ${General::swroot}/private/cakey.pem"; - $opt .= " -out ${General::swroot}/ca/cacert.pem"; - - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; - print "$state\n"; - print "$city\n"; - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; - print "$ou\n"; - print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; - exit (0); - } - } - - # Create the Host certificate request - if (!$errormessage) { - &General::log("ipsec", "Creating host cert..."); - if (open(STDIN, "-|")) { - my $opt = " req -sha256 -nodes"; - $opt .= " -newkey rsa:2048"; - $opt .= " -keyout ${General::swroot}/certs/hostkey.pem"; - $opt .= " -out ${General::swroot}/certs/hostreq.pem"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; - print "$state\n"; - print "$city\n"; - print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; - print "$ou\n"; - print "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; - print "$cgiparams{'ROOTCERT_EMAIL'}\n"; - print ".\n"; - print ".\n"; - exit (0); - } - } + if (!$errormessage) { + &General::log("ipsec", "Moving cacert..."); + move("/tmp/newcacert", "${General::swroot}/ca/cacert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + } + + if (!$errormessage) { + &General::log("ipsec", "Moving host cert..."); + move("/tmp/newhostcert", "${General::swroot}/certs/hostcert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + } + + if (!$errormessage) { + &General::log("ipsec", "Moving private key..."); + move("/tmp/newhostkey", "${General::swroot}/certs/hostkey.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + } + + #cleanup temp files + unlink ($filename); + unlink ('/tmp/newcacert'); + unlink ('/tmp/newhostcert'); + unlink ('/tmp/newhostkey'); + if ($errormessage) { + unlink ("${General::swroot}/ca/cacert.pem"); + unlink ("${General::swroot}/certs/hostcert.pem"); + unlink ("${General::swroot}/certs/hostkey.pem"); + goto ROOTCERT_ERROR; + }

- # Sign the host certificate request - if (!$errormessage) { - &General::log("ipsec", "Self signing host cert..."); + # Create empty CRL cannot be done because we don't have + # the private key for this CAROOT + # IPFire can only import certificates

- #No easy way for specifying the contain of subjectAltName without writing a config file... - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); - print $fh <<END - basicConstraints=CA:FALSE - nsComment="OpenSSL Generated Certificate" - subjectKeyIdentifier=hash - authorityKeyIdentifier=keyid,issuer:always - extendedKeyUsage = serverAuth + &General::log("ipsec", "p12 import completed!"); + &cleanssldatabase(); + goto ROOTCERT_SUCCESS; + + } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { + + # Validate input since the form was submitted + if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){ + $errormessage = $Lang::tr{'organization cant be empty'}; + goto ROOTCERT_ERROR; + } + if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) { + $errormessage = $Lang::tr{'organization too long'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for organization'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){ + $errormessage = $Lang::tr{'hostname cant be empty'}; + goto ROOTCERT_ERROR; + } + unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) { + $errormessage = $Lang::tr{'invalid input for hostname'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) { + $errormessage = $Lang::tr{'invalid input for e-mail address'}; + goto ROOTCERT_ERROR; + } + if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) { + $errormessage = $Lang::tr{'e-mail address too long'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for department'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for city'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for state or province'}; + goto ROOTCERT_ERROR; + } + if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) { + $errormessage = $Lang::tr{'invalid input for country'}; + goto ROOTCERT_ERROR; + } + #the exact syntax is a list comma separated of + # email:any-validemail + # URI: a uniform resource indicator + # DNS: a DNS domain name + # RID: a registered OBJECT IDENTIFIER + # IP: an IP address + # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com + + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { + $errormessage = $Lang::tr{'vpn altname syntax'}; + goto VPNCONF_ERROR; + } + + # Copy the cgisettings to vpnsettings and save the configfile + $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'}; + $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'}; + $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'}; + $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'}; + $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'}; + $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'}; + $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'}; + &General::writehash("${General::swroot}/vpn/settings", %vpnsettings); + + # Replace empty strings with a . + (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/./; + (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/./; + (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/./; + + # Create the CA certificate + if (!$errormessage) { + &General::log("ipsec", "Creating cacert..."); + if (open(STDIN, "-|")) { + my $opt = " req -x509 -sha256 -nodes"; + $opt .= " -days 999999"; + $opt .= " -newkey rsa:4096"; + $opt .= " -keyout ${General::swroot}/private/cakey.pem"; + $opt .= " -out ${General::swroot}/ca/cacert.pem"; + + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; + print "$state\n"; + print "$city\n"; + print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; + print "$ou\n"; + print "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n"; + print "$cgiparams{'ROOTCERT_EMAIL'}\n"; + exit (0); + } + } + + # Create the Host certificate request + if (!$errormessage) { + &General::log("ipsec", "Creating host cert..."); + if (open(STDIN, "-|")) { + my $opt = " req -sha256 -nodes"; + $opt .= " -newkey rsa:2048"; + $opt .= " -keyout ${General::swroot}/certs/hostkey.pem"; + $opt .= " -out ${General::swroot}/certs/hostreq.pem"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'ROOTCERT_COUNTRY'}\n"; + print "$state\n"; + print "$city\n"; + print "$cgiparams{'ROOTCERT_ORGANIZATION'}\n"; + print "$ou\n"; + print "$cgiparams{'ROOTCERT_HOSTNAME'}\n"; + print "$cgiparams{'ROOTCERT_EMAIL'}\n"; + print ".\n"; + print ".\n"; + exit (0); + } + } + + # Sign the host certificate request + if (!$errormessage) { + &General::log("ipsec", "Self signing host cert..."); + + #No easy way for specifying the contain of subjectAltName without writing a config file... + my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); + print $fh <<END + basicConstraints=CA:FALSE + nsComment="OpenSSL Generated Certificate" + subjectKeyIdentifier=hash + authorityKeyIdentifier=keyid,issuer:always + extendedKeyUsage = serverAuth END ; - print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); - close ($fh); - - my $opt = " ca -md sha256 -days 999999"; - $opt .= " -batch -notext"; - $opt .= " -in ${General::swroot}/certs/hostreq.pem"; - $opt .= " -out ${General::swroot}/certs/hostcert.pem"; - $opt .= " -extfile $v3extname"; - $errormessage = &callssl ($opt); - unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed - unlink ($v3extname); - } - - # Create an empty CRL - if (!$errormessage) { - &General::log("ipsec", "Creating emptycrl..."); - my $opt = " ca -gencrl"; - $opt .= " -out ${General::swroot}/crls/cacrl.pem"; - $errormessage = &callssl ($opt); - } - - # Successfully build CA / CERT! - if (!$errormessage) { - &cleanssldatabase(); - goto ROOTCERT_SUCCESS; - } - - #Cleanup - unlink ("${General::swroot}/ca/cacert.pem"); - unlink ("${General::swroot}/certs/hostkey.pem"); - unlink ("${General::swroot}/certs/hostcert.pem"); - unlink ("${General::swroot}/crls/cacrl.pem"); - &cleanssldatabase(); - } - - ROOTCERT_ERROR: - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage"; - print "&nbsp;</class>"; - &Header::closebox(); - } - &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:"); - print <<END - <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%' border='0' cellspacing='1' cellpadding='0'> - <tr><td width='40%' class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> - <td width='60%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'ipfires hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'your department'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'city'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'state or province'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'country'}:</td> - <td class='base'><select name='ROOTCERT_COUNTRY'> + print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); + close ($fh); + + my $opt = " ca -md sha256 -days 999999"; + $opt .= " -batch -notext"; + $opt .= " -in ${General::swroot}/certs/hostreq.pem"; + $opt .= " -out ${General::swroot}/certs/hostcert.pem"; + $opt .= " -extfile $v3extname"; + $errormessage = &callssl ($opt); + unlink ("${General::swroot}/certs/hostreq.pem"); #no more needed + unlink ($v3extname); + } + + # Create an empty CRL + if (!$errormessage) { + &General::log("ipsec", "Creating emptycrl..."); + my $opt = " ca -gencrl"; + $opt .= " -out ${General::swroot}/crls/cacrl.pem"; + $errormessage = &callssl ($opt); + } + + # Successfully build CA / CERT! + if (!$errormessage) { + &cleanssldatabase(); + goto ROOTCERT_SUCCESS; + } + + #Cleanup + unlink ("${General::swroot}/ca/cacert.pem"); + unlink ("${General::swroot}/certs/hostkey.pem"); + unlink ("${General::swroot}/certs/hostcert.pem"); + unlink ("${General::swroot}/crls/cacrl.pem"); + &cleanssldatabase(); + } + + ROOTCERT_ERROR: + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print "&nbsp;</class>"; + &Header::closebox(); + } + &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:"); + print <<END + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%' border='0' cellspacing='1' cellpadding='0'> + <tr><td width='40%' class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td width='60%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'ipfires hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'your e-mail'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'your department'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'city'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'state or province'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'country'}:</td> + <td class='base'><select name='ROOTCERT_COUNTRY'> END - ; - foreach my $country (sort keys %{Countries::countries}) { - print "<option value='$Countries::countries{$country}'"; - if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) { - print " selected='selected'"; - } - print ">$country</option>"; - } - print <<END - </select></td></tr> - <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> +; + foreach my $country (sort keys %{Countries::countries}) { + print "<option value='$Countries::countries{$country}'"; + if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) { + print " selected='selected'"; + } + print ">$country</option>"; + } + print <<END + </select></td></tr> + <tr><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' /></td></tr> - <tr><td>&nbsp;</td> - <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr> - <tr><td class='base' colspan='2' align='left'> - <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: - $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} - </td></tr> - <tr><td colspan='2'><hr></td></tr> - <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td> - <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr> - <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> - <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr> - <tr><td>&nbsp;</td> - <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td></tr> - <tr><td class='base' colspan='2' align='left'> - <img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr> - </table></form> + <tr><td>&nbsp;</td> + <td><br /><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /><br /><br /></td></tr> + <tr><td class='base' colspan='2' align='left'> + <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: + $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} + </td></tr> + <tr><td colspan='2'><hr></td></tr> + <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td> + <td nowrap='nowrap'><input type='file' name='FH' size='32' /></td></tr> + <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td> + <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td></tr> + <tr><td>&nbsp;</td> + <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td></tr> + <tr><td class='base' colspan='2' align='left'> + <img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr> + </table></form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit(0); - - ROOTCERT_SUCCESS: - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S'); - sleep $sleepDelay; - } - ROOTCERT_SKIP: +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit(0); + + ROOTCERT_SUCCESS: + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S'); + sleep $sleepDelay; + } + ROOTCERT_SKIP: ### ### Export PKCS12 file to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; - print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; - exit (0); + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; + print "Content-Type: application/octet-stream\r\n\r\n"; + print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; + exit (0);

### ### Display certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', ''); - &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "<pre>$output</pre>\n"; - &Header::closebox(); - print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - } + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + + if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', "$Lang::tr{'cert'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "<pre>$output</pre>\n"; + &Header::closebox(); + print "<div align='center'><a href='/cgi-bin/vpnmain.cgi'>$Lang::tr{'back'}</a></div>"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + }

### ### Export Certificate to browser ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) { - &General::readhasharray("${General::swroot}/vpn/config", %confighash); + &General::readhasharray("${General::swroot}/vpn/config", %confighash);

- if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - print "Content-Type: application/force-download\n"; - print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; - print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - exit (0); - } + if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { + print "Content-Type: application/force-download\n"; + print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n"; + print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + exit (0); + }

### ### Enable/Disable connection ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { - - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - if ($confighash{$cgiparams{'KEY'}}) { - if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { - $confighash{$cgiparams{'KEY'}}[0] = 'on'; - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); + + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + + if ($confighash{$cgiparams{'KEY'}}) { + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { + $confighash{$cgiparams{'KEY'}}[0] = 'on'; + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled); + } else { + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); + $confighash{$cgiparams{'KEY'}}[0] = 'off'; + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + } + sleep $sleepDelay; } else { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); - $confighash{$cgiparams{'KEY'}}[0] = 'off'; - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); + $errormessage = $Lang::tr{'invalid key'}; } - sleep $sleepDelay; - } else { - $errormessage = $Lang::tr{'invalid key'}; - }

### ### Restart connection ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) { - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", %confighash);

- if ($confighash{$cgiparams{'KEY'}}) { - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); - sleep $sleepDelay; + if ($confighash{$cgiparams{'KEY'}}) { + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); + sleep $sleepDelay; + } + } else { + $errormessage = $Lang::tr{'invalid key'}; } - } else { - $errormessage = $Lang::tr{'invalid key'}; - }

### ### Remove connection ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - if ($confighash{$cgiparams{'KEY'}}) { - system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + + if ($confighash{$cgiparams{'KEY'}}) { + system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled); + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + delete $confighash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + } else { + $errormessage = $Lang::tr{'invalid key'}; + } &General::firewall_reload(); ### ### Choose between adding a host-net or net-net connection @@ -1227,535 +1220,545 @@ END &Header::openbigbox('100%', 'left', '', ''); &Header::openbox('100%', 'left', $Lang::tr{'connection type'}); print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <b>$Lang::tr{'connection type'}:</b><br /> - <table> - <tr><td><input type='radio' name='TYPE' value='host' checked='checked' /></td> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <b>$Lang::tr{'connection type'}:</b><br /> + <table> + <tr><td><input type='radio' name='TYPE' value='host' checked='checked' /></td> <td class='base'>$Lang::tr{'host to net vpn'}</td> - </tr><tr> + </tr><tr> <td><input type='radio' name='TYPE' value='net' /></td> <td class='base'>$Lang::tr{'net to net vpn'}</td> - </tr><tr> + </tr><tr> <td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td> - </tr> - </table></form> + </tr> + </table></form> END - ; +; &Header::closebox(); &Header::closebigbox(); &Header::closepage(); exit (0); ### -### Adding/Editing/Saving a connection +### Adding/Editing/Saving a connection ### } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) { - - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - if (! $confighash{$cgiparams{'KEY'}}[0]) { - $errormessage = $Lang::tr{'invalid key'}; - goto VPNCONF_END; - } - $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; - $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; - $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; - $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; - $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; - $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; - $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; - $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9]; - $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; - $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; - $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; - $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; - $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; - $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; - $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; - $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; - $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { - $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; - } - $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; - $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; - $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; - $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || + ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {

- if (!$cgiparams{'DPD_DELAY'}) { - $cgiparams{'DPD_DELAY'} = 30; - } + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + &General::readhasharray("${General::swroot}/vpn/config", %confighash);

- if (!$cgiparams{'DPD_TIMEOUT'}) { - $cgiparams{'DPD_TIMEOUT'} = 120; - } + if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { + if (! $confighash{$cgiparams{'KEY'}}[0]) { + $errormessage = $Lang::tr{'invalid key'}; + goto VPNCONF_END; + } + $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; + $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; + $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; + $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; + $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + #$cgiparams{'free'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL_ID'} = $confighash{$cgiparams{'KEY'}}[7]; + my @local_subnets = split(",", $confighash{$cgiparams{'KEY'}}[8]); + $cgiparams{'LOCAL_SUBNET'} = join(/|/, @local_subnets); + $cgiparams{'REMOTE_ID'} = $confighash{$cgiparams{'KEY'}}[9]; + $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; + my @remote_subnets = split(",", $confighash{$cgiparams{'KEY'}}[11]); + $cgiparams{'REMOTE_SUBNET'} = join(/|/, @remote_subnets); + $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; + $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; + $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; + $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; + $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; + $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; + $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; + $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { + $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; + } + $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; + $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; + $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; + $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + + if (!$cgiparams{'DPD_DELAY'}) { + $cgiparams{'DPD_DELAY'} = 30; + }

- } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { - $errormessage = $Lang::tr{'connection type is invalid'}; - goto VPNCONF_ERROR; - } + if (!$cgiparams{'DPD_TIMEOUT'}) { + $cgiparams{'DPD_TIMEOUT'} = 120; + }

- if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; - goto VPNCONF_ERROR; - } + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { + $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); + if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { + $errormessage = $Lang::tr{'connection type is invalid'}; + goto VPNCONF_ERROR; + }

- if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) { - $errormessage = $Lang::tr{'name is invalid'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { + $errormessage = $Lang::tr{'name must only contain characters'}; + goto VPNCONF_ERROR; + }

- if (length($cgiparams{'NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) { + $errormessage = $Lang::tr{'name is invalid'}; + goto VPNCONF_ERROR; + }

- # Check if there is no other entry with this name - if (! $cgiparams{'KEY'}) { #only for add - foreach my $key (keys %confighash) { - if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { - $errormessage = $Lang::tr{'a connection with this name already exists'}; - goto VPNCONF_ERROR; + if (length($cgiparams{'NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; } - } - }

- if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } + # Check if there is no other entry with this name + if (! $cgiparams{'KEY'}) { #only for add + foreach my $key (keys %confighash) { + if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { + $errormessage = $Lang::tr{'a connection with this name already exists'}; + goto VPNCONF_ERROR; + } + } + }

- if ($cgiparams{'REMOTE'}) { - if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { - if (! &General::validfqdn ($cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } else { - if (&valid_dns_host($cgiparams{'REMOTE'})) { - $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; - } + if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + goto VPNCONF_ERROR; } - } - }

- unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { - $errormessage = $Lang::tr{'local subnet is invalid'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'REMOTE'}) { + if (($cgiparams{'REMOTE'} ne '%any') && (! &General::validip($cgiparams{'REMOTE'}))) { + if (! &General::validfqdn ($cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + goto VPNCONF_ERROR; + } else { + if (&valid_dns_host($cgiparams{'REMOTE'})) { + $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; + } + } + } + }

- # Allow only one roadwarrior/psk without remote IP-address - if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') { - foreach my $key (keys %confighash) { - if ( ($cgiparams{'KEY'} ne $key) && - ($confighash{$key}[4] eq 'psk') && - ($confighash{$key}[10] eq '') ) { - $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; - goto VPNCONF_ERROR; + my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'}); + foreach my $subnet (@local_subnets) { + unless (&Network::check_subnet($subnet)) { + $errormessage = $Lang::tr{'local subnet is invalid'}; + goto VPNCONF_ERROR; + } } - } - } - if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { - $errormessage = $Lang::tr{'remote subnet is invalid'}; - goto VPNCONF_ERROR; - }

- if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; - } + # Allow only one roadwarrior/psk without remote IP-address + if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'AUTH'} eq 'psk') { + foreach my $key (keys %confighash) { + if ( ($cgiparams{'KEY'} ne $key) && + ($confighash{$key}[4] eq 'psk') && + ($confighash{$key}[10] eq '') ) { + $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; + goto VPNCONF_ERROR; + } + } + }

- # Allow nothing or a string (DN,FDQN,) beginning with @ - # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck - if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*/-]+|\d+.\d+.\d+.\d+)$/) || - ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*/-]+|\d+.\d+.\d+.\d+)$/) || - (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) - ) { - $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' . - 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' . - 'FQDN: @ipfire.org<br />' . - 'USER_FQDN: info@ipfire.org<br />' . - 'IPV4_ADDR: 123.123.123.123'; - goto VPNCONF_ERROR; - } - # If Auth is DN, verify existance of Remote ID. - if ( $cgiparams{'REMOTE_ID'} eq '' && ( - $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation - $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing - $errormessage = $Lang::tr{'vpn missing remote id'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'TYPE'} eq 'net') { + my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'}); + foreach my $subnet (@remote_subnets) { + unless (&Network::check_subnet($subnet)) { + $errormessage = $Lang::tr{'remote subnet is invalid'}; + goto VPNCONF_ERROR; + } + } + }

- if ($cgiparams{'TYPE'} eq 'net'){ - $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec'); - if ($warnmessage ne ''){ - $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; } - }

- if ($cgiparams{'AUTH'} eq 'psk') { - if (! length($cgiparams{'PSK'}) ) { - $errormessage = $Lang::tr{'pre-shared key is too short'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'PSK'} =~ /'/) { - $cgiparams{'PSK'} =~ tr/'/ /; - $errormessage = $Lang::tr{'invalid characters found in pre-shared key'}; - goto VPNCONF_ERROR; - } + # Allow nothing or a string (DN,FDQN,) beginning with @ + # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck + if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*/-]+|\d+.\d+.\d+.\d+)$/) || + ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*/-]+|\d+.\d+.\d+.\d+)$/) || + (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) + ) { + $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' . + 'DER_ASN1_DN: @c=FR/ou=Paris/ou=Home/cn=*<br />' . + 'FQDN: @ipfire.org<br />' . + 'USER_FQDN: info@ipfire.org<br />' . + 'IPV4_ADDR: 123.123.123.123'; + goto VPNCONF_ERROR; + } + # If Auth is DN, verify existance of Remote ID. + if ( $cgiparams{'REMOTE_ID'} eq '' && ( + $cgiparams{'AUTH'} eq 'auth-dn'|| # while creation + $confighash{$cgiparams{'KEY'}}[2] eq '%auth-dn')){ # while editing + $errormessage = $Lang::tr{'vpn missing remote id'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'TYPE'} eq 'net'){ + $warnmessage=&General::checksubnets('',$cgiparams{'REMOTE_SUBNET'},'ipsec'); + if ($warnmessage ne ''){ + $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage; + } + } + + if ($cgiparams{'AUTH'} eq 'psk') { + if (! length($cgiparams{'PSK'}) ) { + $errormessage = $Lang::tr{'pre-shared key is too short'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'PSK'} =~ /'/) { + $cgiparams{'PSK'} =~ tr/'/ /; + $errormessage = $Lang::tr{'invalid characters found in pre-shared key'}; + goto VPNCONF_ERROR; + } } elsif ($cgiparams{'AUTH'} eq 'certreq') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + }

- # Move uploaded certificate request to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } + # Move uploaded certificate request to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; + }

- # Sign the certificate request - &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); - my $opt = " ca -md sha256 -days 999999"; + # Sign the certificate request + &General::log("ipsec", "Signing your cert $cgiparams{'NAME'}..."); + my $opt = " ca -md sha256 -days 999999"; $opt .= " -batch -notext"; $opt .= " -in $filename"; $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";

- if ( $errormessage = &callssl ($opt) ) { - unlink ($filename); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - &cleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ($filename); - &cleanssldatabase(); - } - - $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($cgiparams{'CERT_NAME'} eq '') { - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } + if ( $errormessage = &callssl ($opt) ) { + unlink ($filename); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + &cleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ($filename); + &cleanssldatabase(); + } + + $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + if ($cgiparams{'CERT_NAME'} eq '') { + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } } elsif ($cgiparams{'AUTH'} eq 'pkcs12') { &General::log("ipsec", "Importing from p12...");

if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto ROOTCERT_ERROR; + $errormessage = $Lang::tr{'there was no file upload'}; + goto ROOTCERT_ERROR; }

# Move uploaded certificate request to a temporary file (my $fh, my $filename) = tempfile( ); if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto ROOTCERT_ERROR; + $errormessage = $!; + goto ROOTCERT_ERROR; }

# Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; + my $opt = " pkcs12 -cacerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; - $errormessage = &callssl ($opt); - } else { #child - print "$cgiparams{'P12_PASS'}\n"; - exit (0); - } - - # Extract the Host certificate from the file - if (!$errormessage) { - &General::log("ipsec", "Extracting host cert from p12..."); - if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; - $opt .= " -in $filename"; - $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); - } else { #child + } else { #child print "$cgiparams{'P12_PASS'}\n"; exit (0); - } - } - - if (!$errormessage) { - &General::log("ipsec", "Moving cacert..."); - #If CA have new subject, add it to our list of CA - my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); - my @names; - foreach my $x (keys %cahash) { - $casubject='' if ($cahash{$x}[1] eq $casubject); - unshift (@names,$cahash{$x}[0]); - } - if ($casubject) { # a new one! - my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`; - if ($temp !~ /CA:TRUE/i) { - $errormessage = $Lang::tr{'not a valid ca certificate'}; - } else { - #compute a name for it - my $idx=0; - while (grep(/Imported-$idx/, @names) ) {$idx++}; - $cgiparams{'CA_NAME'}="Imported-$idx"; - $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert')); - move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - if (!$errormessage) { - my $key = &General::findhasharraykey (%cahash); - $cahash{$key}[0] = $cgiparams{'CA_NAME'}; - $cahash{$key}[1] = $casubject; - &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); - system('/usr/local/bin/ipsecctrl', 'R'); - } - } - } + } + + # Extract the Host certificate from the file + if (!$errormessage) { + &General::log("ipsec", "Extracting host cert from p12..."); + if (open(STDIN, "-|")) { + my $opt = " pkcs12 -clcerts -nokeys"; + $opt .= " -in $filename"; + $opt .= " -out /tmp/newhostcert"; + $errormessage = &callssl ($opt); + } else { #child + print "$cgiparams{'P12_PASS'}\n"; + exit (0); + } + } + + if (!$errormessage) { + &General::log("ipsec", "Moving cacert..."); + #If CA have new subject, add it to our list of CA + my $casubject = &Header::cleanhtml(getsubjectfromcert ('/tmp/newcacert')); + my @names; + foreach my $x (keys %cahash) { + $casubject='' if ($cahash{$x}[1] eq $casubject); + unshift (@names,$cahash{$x}[0]); + } + if ($casubject) { # a new one! + my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`; + if ($temp !~ /CA:TRUE/i) { + $errormessage = $Lang::tr{'not a valid ca certificate'}; + } else { + #compute a name for it + my $idx=0; + while (grep(/Imported-$idx/, @names) ) {$idx++}; + $cgiparams{'CA_NAME'}="Imported-$idx"; + $cgiparams{'CERT_NAME'}=&Header::cleanhtml(getCNfromcert ('/tmp/newhostcert')); + move("/tmp/newcacert", "${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + if (!$errormessage) { + my $key = &General::findhasharraykey (%cahash); + $cahash{$key}[0] = $cgiparams{'CA_NAME'}; + $cahash{$key}[1] = $casubject; + &General::writehasharray("${General::swroot}/vpn/caconfig", %cahash); + system('/usr/local/bin/ipsecctrl', 'R'); + } + } + } } if (!$errormessage) { - &General::log("ipsec", "Moving host cert..."); - move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); - } + &General::log("ipsec", "Moving host cert..."); + move("/tmp/newhostcert", "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + $errormessage = "$Lang::tr{'certificate file move failed'}: $!" if ($? ne 0); + }

#cleanup temp files unlink ($filename); unlink ('/tmp/newcacert'); unlink ('/tmp/newhostcert'); if ($errormessage) { - unlink ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - goto VPNCONF_ERROR; + unlink ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + goto VPNCONF_ERROR; } &General::log("ipsec", "p12 import completed!"); } elsif ($cgiparams{'AUTH'} eq 'certfile') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } - # Move uploaded certificate to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } - - # Verify the certificate has a valid CA and move it - &General::log("ipsec", "Validating imported cert against our known CA..."); - my $validca = 1; #assume ok - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`; - if ($test !~ /: OK/) { - my $validca = 0; - foreach my $key (keys %cahash) { - $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; - if ($test =~ /: OK/) { - $validca = 1; - last; - } - } - } - if (! $validca) { - $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; - unlink ($filename); - goto VPNCONF_ERROR; - } else { - move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto VPNCONF_ERROR; + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + } + # Move uploaded certificate to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; } - }

- $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - if ($cgiparams{'CERT_NAME'} eq '') { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } + # Verify the certificate has a valid CA and move it + &General::log("ipsec", "Validating imported cert against our known CA..."); + my $validca = 1; #assume ok + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`; + if ($test !~ /: OK/) { + my $validca = 0; + foreach my $key (keys %cahash) { + $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`; + if ($test =~ /: OK/) { + $validca = 1; + last; + } + } + } + if (! $validca) { + $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; + unlink ($filename); + goto VPNCONF_ERROR; + } else { + move($filename, "${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto VPNCONF_ERROR; + } + } + + $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + if ($cgiparams{'CERT_NAME'} eq '') { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } } elsif ($cgiparams{'AUTH'} eq 'certgen') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - # Validate input since the form was submitted - if (length($cgiparams{'CERT_NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,.-_]+$/) { - $errormessage = $Lang::tr{'invalid input for name'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { - $errormessage = $Lang::tr{'invalid input for e-mail address'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_EMAIL'}) > 40) { - $errormessage = $Lang::tr{'e-mail address too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for department'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { - $errormessage = $Lang::tr{'organization too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,.-_]+$/) { - $errormessage = $Lang::tr{'invalid input for organization'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for city'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { - $errormessage = $Lang::tr{'invalid input for state or province'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { - $errormessage = $Lang::tr{'invalid input for country'}; - goto VPNCONF_ERROR; - } - #the exact syntax is a list comma separated of - # email:any-validemail - # URI: a uniform resource indicator - # DNS: a DNS domain name - # RID: a registered OBJECT IDENTIFIER - # IP: an IP address - # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com - - if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { - $errormessage = $Lang::tr{'vpn altname syntax'}; - goto VPNCONF_ERROR; - } + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + # Validate input since the form was submitted + if (length($cgiparams{'CERT_NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,.-_]+$/) { + $errormessage = $Lang::tr{'invalid input for name'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { + $errormessage = $Lang::tr{'invalid input for e-mail address'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_EMAIL'}) > 40) { + $errormessage = $Lang::tr{'e-mail address too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for department'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { + $errormessage = $Lang::tr{'organization too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,.-_]+$/) { + $errormessage = $Lang::tr{'invalid input for organization'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for city'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,.-_]*$/) { + $errormessage = $Lang::tr{'invalid input for state or province'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { + $errormessage = $Lang::tr{'invalid input for country'}; + goto VPNCONF_ERROR; + } + #the exact syntax is a list comma separated of + # email:any-validemail + # URI: a uniform resource indicator + # DNS: a DNS domain name + # RID: a registered OBJECT IDENTIFIER + # IP: an IP address + # example: email:franck@foo.com,IP:10.0.0.10,DNS:franck.foo.com + + if ($cgiparams{'SUBJECTALTNAME'} ne '' && $cgiparams{'SUBJECTALTNAME'} !~ /^(email|URI|DNS|RID|IP):[a-zA-Z0-9 :/,.-_@]*$/) { + $errormessage = $Lang::tr{'vpn altname syntax'}; + goto VPNCONF_ERROR; + }

- if (length($cgiparams{'CERT_PASS1'}) < 5) { - $errormessage = $Lang::tr{'password too short'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { - $errormessage = $Lang::tr{'passwords do not match'}; - goto VPNCONF_ERROR; - } + if (length($cgiparams{'CERT_PASS1'}) < 5) { + $errormessage = $Lang::tr{'password too short'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { + $errormessage = $Lang::tr{'passwords do not match'}; + goto VPNCONF_ERROR; + }

- # Replace empty strings with a . - (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/./; - (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/./; - (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/./; + # Replace empty strings with a . + (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/./; + (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/./; + (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/./;

- # Create the Client certificate request - &General::log("ipsec", "Creating a cert..."); + # Create the Client certificate request + &General::log("ipsec", "Creating a cert...");

- if (open(STDIN, "-|")) { - my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; - $opt .= " -newkey rsa:2048"; - $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; - $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; + if (open(STDIN, "-|")) { + my $opt = " req -nodes -rand /proc/interrupts:/proc/net/rt_cache"; + $opt .= " -newkey rsa:2048"; + $opt .= " -keyout ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; + $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; + + if ( $errormessage = &callssl ($opt) ) { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); + goto VPNCONF_ERROR; + } + } else { #child + print "$cgiparams{'CERT_COUNTRY'}\n"; + print "$state\n"; + print "$city\n"; + print "$cgiparams{'CERT_ORGANIZATION'}\n"; + print "$ou\n"; + print "$cgiparams{'CERT_NAME'}\n"; + print "$cgiparams{'CERT_EMAIL'}\n"; + print ".\n"; + print ".\n"; + exit (0); + }

- if ( $errormessage = &callssl ($opt) ) { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - goto VPNCONF_ERROR; - } - } else { #child - print "$cgiparams{'CERT_COUNTRY'}\n"; - print "$state\n"; - print "$city\n"; - print "$cgiparams{'CERT_ORGANIZATION'}\n"; - print "$ou\n"; - print "$cgiparams{'CERT_NAME'}\n"; - print "$cgiparams{'CERT_EMAIL'}\n"; - print ".\n"; - print ".\n"; - exit (0); - } - - # Sign the client certificate request - &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}..."); - - #No easy way for specifying the contain of subjectAltName without writing a config file... - my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); - print $fh <<END - basicConstraints=CA:FALSE - nsComment="OpenSSL Generated Certificate" - subjectKeyIdentifier=hash - extendedKeyUsage=clientAuth - authorityKeyIdentifier=keyid,issuer:always + # Sign the client certificate request + &General::log("ipsec", "Signing the cert $cgiparams{'NAME'}..."); + + #No easy way for specifying the contain of subjectAltName without writing a config file... + my ($fh, $v3extname) = tempfile ('/tmp/XXXXXXXX'); + print $fh <<END + basicConstraints=CA:FALSE + nsComment="OpenSSL Generated Certificate" + subjectKeyIdentifier=hash + extendedKeyUsage=clientAuth + authorityKeyIdentifier=keyid,issuer:always END ; - print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); - close ($fh); - - my $opt = " ca -md sha256 -days 999999 -batch -notext"; - $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; - $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; - $opt .= " -extfile $v3extname"; - - if ( $errormessage = &callssl ($opt) ) { - unlink ($v3extname); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - &cleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ($v3extname); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - &cleanssldatabase(); - } - - # Create the pkcs12 file - &General::log("ipsec", "Packing a pkcs12 file..."); - $opt = " pkcs12 -export"; - $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; - $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; - $opt .= " -name "$cgiparams{'NAME'}""; - $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; - $opt .= " -certfile ${General::swroot}/ca/cacert.pem"; - $opt .= " -caname "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA""; - $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; - - if ( $errormessage = &callssl ($opt) ) { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); - goto VPNCONF_ERROR; - } else { - unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); - } + print $fh "subjectAltName=$cgiparams{'SUBJECTALTNAME'}" if ($cgiparams{'SUBJECTALTNAME'}); + close ($fh); + + my $opt = " ca -md sha256 -days 999999 -batch -notext"; + $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}req.pem"; + $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; + $opt .= " -extfile $v3extname"; + + if ( $errormessage = &callssl ($opt) ) { + unlink ($v3extname); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + &cleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ($v3extname); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); + &cleanssldatabase(); + } + + # Create the pkcs12 file + &General::log("ipsec", "Packing a pkcs12 file..."); + $opt = " pkcs12 -export"; + $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; + $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; + $opt .= " -name "$cgiparams{'NAME'}""; + $opt .= " -passout pass:$cgiparams{'CERT_PASS1'}"; + $opt .= " -certfile ${General::swroot}/ca/cacert.pem"; + $opt .= " -caname "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA""; + $opt .= " -out ${General::swroot}/certs/$cgiparams{'NAME'}.p12"; + + if ( $errormessage = &callssl ($opt) ) { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}.p12"); + goto VPNCONF_ERROR; + } else { + unlink ("${General::swroot}/certs/$cgiparams{'NAME'}key.pem"); + } } elsif ($cgiparams{'AUTH'} eq 'cert') { - ;# Nothing, just editing + ;# Nothing, just editing } elsif ($cgiparams{'AUTH'} eq 'auth-dn') { - $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no cert file' + $cgiparams{'CERT_NAME'} = '%auth-dn'; # a special value saying 'no cert file' } else { - $errormessage = $Lang::tr{'invalid input for authentication method'}; - goto VPNCONF_ERROR; + $errormessage = $Lang::tr{'invalid input for authentication method'}; + goto VPNCONF_ERROR; }

# 1)Error message here is not accurate. @@ -1763,37 +1766,39 @@ END # 3)Present since initial version (1.3.2.11), it isn't a bug correction # Check if there is no other entry with this certificate name #if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk') && ($cgiparams{'AUTH'} ne 'auth-dn')) { - # foreach my $key (keys %confighash) { + # foreach my $key (keys %confighash) { # if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { - # $errormessage = $Lang::tr{'a connection with this common name already exists'}; - # goto VPNCONF_ERROR; + # $errormessage = $Lang::tr{'a connection with this common name already exists'}; + # goto VPNCONF_ERROR; + # } # } - # } #} - # Save the config + # Save the config

my $key = $cgiparams{'KEY'}; if (! $key) { - $key = &General::findhasharraykey (%confighash); - foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} + $key = &General::findhasharraykey (%confighash); + foreach my $i (0 .. 32) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { - $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; + $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; } $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { - $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = $cgiparams{'PSK'}; + $confighash{$key}[4] = 'psk'; + $confighash{$key}[5] = $cgiparams{'PSK'}; } else { - $confighash{$key}[4] = 'cert'; + $confighash{$key}[4] = 'cert'; } if ($cgiparams{'TYPE'} eq 'net') { - $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; + my @remote_subnets = split(",", $cgiparams{'REMOTE_SUBNET'}); + $confighash{$key}[11] = join('|', @remote_subnets); } $confighash{$key}[7] = $cgiparams{'LOCAL_ID'}; - $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; + my @local_subnets = split(",", $cgiparams{'LOCAL_SUBNET'}); + $confighash{$key}[8] = join('|', @local_subnets); $confighash{$key}[9] = $cgiparams{'REMOTE_ID'}; $confighash{$key}[10] = $cgiparams{'REMOTE'}; $confighash{$key}[25] = $cgiparams{'REMARK'}; @@ -1801,7 +1806,7 @@ END $confighash{$key}[27] = $cgiparams{'DPD_ACTION'}; $confighash{$key}[29] = $cgiparams{'IKE_VERSION'};

- #dont forget advanced value + # don't forget advanced value $confighash{$key}[18] = $cgiparams{'IKE_ENCRYPTION'}; $confighash{$key}[19] = $cgiparams{'IKE_INTEGRITY'}; $confighash{$key}[20] = $cgiparams{'IKE_GROUPTYPE'}; @@ -1814,44 +1819,43 @@ END $confighash{$key}[13] = $cgiparams{'COMPRESSION'}; $confighash{$key}[24] = $cgiparams{'ONLY_PROPOSED'}; $confighash{$key}[28] = $cgiparams{'PFS'}; - $confighash{$key}[14] = $cgiparams{'VHOST'}; $confighash{$key}[30] = $cgiparams{'DPD_TIMEOUT'}; $confighash{$key}[31] = $cgiparams{'DPD_DELAY'}; $confighash{$key}[32] = $cgiparams{'FORCE_MOBIKE'};

- #free unused fields! + # free unused fields! $confighash{$key}[6] = 'off'; $confighash{$key}[15] = 'off';

&General::writehasharray("${General::swroot}/vpn/config", %confighash); &writeipsecfiles(); if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $key); - sleep $sleepDelay; + system('/usr/local/bin/ipsecctrl', 'S', $key); + sleep $sleepDelay; } if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { - $cgiparams{'KEY'} = $key; - $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; + $cgiparams{'KEY'} = $key; + $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; } goto VPNCONF_END; - } else { # add new connection - $cgiparams{'ENABLED'} = 'on'; +} else { # add new connection + $cgiparams{'ENABLED'} = 'on'; if ( ! -f "${General::swroot}/private/cakey.pem" ) { - $cgiparams{'AUTH'} = 'psk'; + $cgiparams{'AUTH'} = 'psk'; } elsif ( ! -f "${General::swroot}/ca/cacert.pem") { - $cgiparams{'AUTH'} = 'certfile'; + $cgiparams{'AUTH'} = 'certfile'; } else { - $cgiparams{'AUTH'} = 'certgen'; + $cgiparams{'AUTH'} = 'certgen'; } - $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; - $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'}; - $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'}; - $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; - $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; - $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; - $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; + $cgiparams{'LOCAL_SUBNET'} = "$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + $cgiparams{'CERT_EMAIL'} = $vpnsettings{'ROOTCERT_EMAIL'}; + $cgiparams{'CERT_OU'} = $vpnsettings{'ROOTCERT_OU'}; + $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; + $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; + $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; + $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};

- # choose appropriate dpd action + # choose appropriate dpd action if ($cgiparams{'TYPE'} eq 'host') { $cgiparams{'DPD_ACTION'} = 'clear'; } else { @@ -1872,64 +1876,63 @@ END

# Default IKE Version to v2 if (!$cgiparams{'IKE_VERSION'}) { - $cgiparams{'IKE_VERSION'} = 'ikev2'; + $cgiparams{'IKE_VERSION'} = 'ikev2'; }

# ID are empty - $cgiparams{'LOCAL_ID'} = ''; + $cgiparams{'LOCAL_ID'} = ''; $cgiparams{'REMOTE_ID'} = '';

#use default advanced value - $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; - $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19]; - $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; - $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; - $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; - $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22]; - $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23]; - $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; - $cgiparams{'COMPRESSION'} = 'on'; #[13]; - $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; - $cgiparams{'PFS'} = 'on'; #[28]; - $cgiparams{'VHOST'} = 'on'; #[14]; - } - - VPNCONF_ERROR: - $checked{'ENABLED'}{'off'} = ''; - $checked{'ENABLED'}{'on'} = ''; - $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; - - $checked{'EDIT_ADVANCED'}{'off'} = ''; - $checked{'EDIT_ADVANCED'}{'on'} = ''; - $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'"; - - $checked{'AUTH'}{'psk'} = ''; - $checked{'AUTH'}{'certreq'} = ''; - $checked{'AUTH'}{'certgen'} = ''; - $checked{'AUTH'}{'certfile'} = ''; - $checked{'AUTH'}{'pkcs12'} = ''; - $checked{'AUTH'}{'auth-dn'} = ''; - $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; - - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage"; - print "&nbsp;</class>"; - &Header::closebox(); - } + $cgiparams{'IKE_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[18]; + $cgiparams{'IKE_INTEGRITY'} = 'sha2_512|sha2_256|sha'; #[19]; + $cgiparams{'IKE_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[20]; + $cgiparams{'IKE_LIFETIME'} = '3'; #[16]; + $cgiparams{'ESP_ENCRYPTION'} = 'aes256gcm128|aes256gcm96|aes256gcm64|aes256|aes192gcm128|aes192gcm96|aes192gcm64|aes192|aes128gcm128|aes128gcm96|aes128gcm64|aes128'; #[21]; + $cgiparams{'ESP_INTEGRITY'} = 'sha2_512|sha2_256|sha1'; #[22]; + $cgiparams{'ESP_GROUPTYPE'} = '4096|3072|2048|1536|1024'; #[23]; + $cgiparams{'ESP_KEYLIFE'} = '1'; #[17]; + $cgiparams{'COMPRESSION'} = 'on'; #[13]; + $cgiparams{'ONLY_PROPOSED'} = 'off'; #[24]; + $cgiparams{'PFS'} = 'on'; #[28]; +}

- if ($warnmessage) { - &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:"); - print "<class name='base'>$warnmessage"; - print "&nbsp;</class>"; - &Header::closebox(); - } +VPNCONF_ERROR: + $checked{'ENABLED'}{'off'} = ''; + $checked{'ENABLED'}{'on'} = ''; + $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = "checked='checked'"; + + $checked{'EDIT_ADVANCED'}{'off'} = ''; + $checked{'EDIT_ADVANCED'}{'on'} = ''; + $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = "checked='checked'"; + + $checked{'AUTH'}{'psk'} = ''; + $checked{'AUTH'}{'certreq'} = ''; + $checked{'AUTH'}{'certgen'} = ''; + $checked{'AUTH'}{'certfile'} = ''; + $checked{'AUTH'}{'pkcs12'} = ''; + $checked{'AUTH'}{'auth-dn'} = ''; + $checked{'AUTH'}{$cgiparams{'AUTH'}} = "checked='checked'"; + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print "&nbsp;</class>"; + &Header::closebox(); + } + + if ($warnmessage) { + &Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:"); + print "<class name='base'>$warnmessage"; + print "&nbsp;</class>"; + &Header::closebox(); + }

- print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; - print<<END + print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; + print<<END <input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' /> <input type='hidden' name='IKE_VERSION' value='$cgiparams{'IKE_VERSION'}' /> <input type='hidden' name='IKE_ENCRYPTION' value='$cgiparams{'IKE_ENCRYPTION'}' /> @@ -1943,178 +1946,183 @@ END <input type='hidden' name='COMPRESSION' value='$cgiparams{'COMPRESSION'}' /> <input type='hidden' name='ONLY_PROPOSED' value='$cgiparams{'ONLY_PROPOSED'}' /> <input type='hidden' name='PFS' value='$cgiparams{'PFS'}' /> - <input type='hidden' name='VHOST' value='$cgiparams{'VHOST'}' /> <input type='hidden' name='DPD_ACTION' value='$cgiparams{'DPD_ACTION'}' /> <input type='hidden' name='DPD_DELAY' value='$cgiparams{'DPD_DELAY'}' /> <input type='hidden' name='DPD_TIMEOUT' value='$cgiparams{'DPD_TIMEOUT'}' /> <input type='hidden' name='FORCE_MOBIKE' value='$cgiparams{'FORCE_MOBIKE'}' /> END - ; - if ($cgiparams{'KEY'}) { - print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />"; - print "<input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />"; - print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />"; - } - - &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}"); - print "<table width='100%'>"; - if (!$cgiparams{'KEY'}) { - print <<EOF; - <tr> - <td width='20%'>$Lang::tr{'name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> - <td width='30%'> - <input type='text' name='NAME' value='$cgiparams{'NAME'}' size='25' /> - </td> - <td colspan="2"></td> - </tr> +; + if ($cgiparams{'KEY'}) { + print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />"; + print "<input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />"; + print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />"; + } + + &Header::openbox('100%', 'left', "$Lang::tr{'connection'}: $cgiparams{'NAME'}"); + print "<table width='100%'>"; + if (!$cgiparams{'KEY'}) { + print <<EOF; + <tr> + <td width='20%'>$Lang::tr{'name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td width='30%'> + <input type='text' name='NAME' value='$cgiparams{'NAME'}' size='25' /> + </td> + <td colspan="2"></td> + </tr> EOF - } + }

- my $disabled; - my $blob; - if ($cgiparams{'TYPE'} eq 'host') { + my $disabled; + my $blob; + if ($cgiparams{'TYPE'} eq 'host') { $disabled = "disabled='disabled'"; - } elsif ($cgiparams{'TYPE'} eq 'net') { + } elsif ($cgiparams{'TYPE'} eq 'net') { $blob = "<img src='/blob.gif' alt='*' />"; - }; + };

- print <<END + my @local_subnets = split(/|/, $cgiparams{'LOCAL_SUBNET'}); + my $local_subnets = join(",", @local_subnets); + + my @remote_subnets = split(/|/, $cgiparams{'REMOTE_SUBNET'}); + my $remote_subnets = join(",", @remote_subnets); + + print <<END <tr> <td width='20%'>$Lang::tr{'enabled'}</td> <td width='30%'> - <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /> + <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /> + </td> + <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td> + <td width='30%'> + <input type='text' name='LOCAL_SUBNET' value='$local_subnets' /> + </td> + </tr> + <tr> + <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}:&nbsp;$blob</td> + <td width='30%'> + <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" /> + </td> + <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td> + <td width='30%'> + <input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' /> </td> - <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td> - <td width='30%'> - <input type='text' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' size="25" /> - </td> - </tr> - <tr> - <td class='boldbase' width='20%'>$Lang::tr{'remote host/ip'}:&nbsp;$blob</td> - <td width='30%'> - <input type='text' name='REMOTE' value='$cgiparams{'REMOTE'}' size="25" /> - </td> - <td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td> - <td width='30%'> - <input $disabled type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' size="25" /> - </td> </tr> <tr> - <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td> - <td width='30%'> - <input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' size="25" /> - </td> - <td class='boldbase' width='20%'>$Lang::tr{'vpn remote id'}:</td> - <td width='30%'> - <input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' size="25" /> - </td> + <td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td> + <td width='30%'> + <input type='text' name='LOCAL_ID' value='$cgiparams{'LOCAL_ID'}' size="25" /> + </td> + <td class='boldbase' width='20%'>$Lang::tr{'vpn remote id'}:</td> + <td width='30%'> + <input type='text' name='REMOTE_ID' value='$cgiparams{'REMOTE_ID'}' size="25" /> + </td> </tr> <tr><td colspan="4"><br /></td></tr> <tr> - <td class='boldbase' width='20%'>$Lang::tr{'remark title'}</td> - <td colspan='3'> - <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> - </td> - </tr> -END - ; - if (!$cgiparams{'KEY'}) { - print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>"; - } - print "</table>"; - &Header::closebox(); - - if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { - &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); - print <<END - <table width='100%' cellpadding='0' cellspacing='5' border='0'> - <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td> - <td class='base' width='50%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td> + <td class='boldbase' width='20%'>$Lang::tr{'remark title'}</td> + <td colspan='3'> + <input type='text' name='REMARK' value='$cgiparams{'REMARK'}' maxlength='50' size="73" /> + </td> </tr> - </table> END - ; +; + if (!$cgiparams{'KEY'}) { + print "<tr><td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</td></tr>"; + } + print "</table>"; &Header::closebox(); - } elsif (! $cgiparams{'KEY'}) { - my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : ''; - $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled); - my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : '';

- &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); - print <<END - <table width='100%' cellpadding='0' cellspacing='5' border='0'> - <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td> - <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td> - <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr> - <tr><td colspan='3' bgcolor='#000000'></td></tr> - <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> - <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td> - <td class='base' rowspan='3' valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled /></td></tr> - <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> - <td class='base'>$Lang::tr{'upload a certificate'}</td></tr> - <tr><td><input type='radio' name='AUTH' value='pkcs12' $cacrtdisabled /></td> - <td class='base'>$Lang::tr{'upload p12 file'} $Lang::tr{'pkcs12 file password'}:<input type='password' name='P12_PASS'/></td></tr> - <tr><td><input type='radio' name='AUTH' value='auth-dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> - <td class='base'><hr />$Lang::tr{'vpn auth-dn'}</td></tr> - <tr><td colspan='3' bgcolor='#000000'></td></tr> - <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> - <td class='base'><hr />$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'users email'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'users department'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'organization name'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'city'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'state or province'}:</td> - <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'country'}:</td> - <td class='base'><select name='CERT_COUNTRY' $cakeydisabled> + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { + &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); + print <<END + <table width='100%' cellpadding='0' cellspacing='5' border='0'> + <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td> + <td class='base' width='50%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td> + </tr> + </table> END - ; - foreach my $country (sort keys %{Countries::countries}) { - print "\t\t\t<option value='$Countries::countries{$country}'"; - if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) { - print " selected='selected'"; - } - print ">$country</option>\n"; +; + &Header::closebox(); + } elsif (! $cgiparams{'KEY'}) { + my $cakeydisabled = ( ! -f "${General::swroot}/private/cakey.pem" ) ? "disabled='disabled'" : ''; + $cgiparams{'CERT_NAME'} = $Lang::tr{'vpn no full pki'} if ($cakeydisabled); + my $cacrtdisabled = ( ! -f "${General::swroot}/ca/cacert.pem" ) ? "disabled='disabled'" : ''; + + &Header::openbox('100%', 'left', $Lang::tr{'authentication'}); + print <<END + <table width='100%' cellpadding='0' cellspacing='5' border='0'> + <tr><td width='5%'><input type='radio' name='AUTH' value='psk' $checked{'AUTH'}{'psk'} /></td> + <td class='base' width='55%'>$Lang::tr{'use a pre-shared key'}</td> + <td class='base' width='40%'><input type='password' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr> + <tr><td colspan='3' bgcolor='#000000'></td></tr> + <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td> + <td class='base'><hr />$Lang::tr{'upload a certificate request'}</td> + <td class='base' rowspan='3' valign='middle'><input type='file' name='FH' size='30' $cacrtdisabled /></td></tr> + <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td> + <td class='base'>$Lang::tr{'upload a certificate'}</td></tr> + <tr><td><input type='radio' name='AUTH' value='pkcs12' $cacrtdisabled /></td> + <td class='base'>$Lang::tr{'upload p12 file'} $Lang::tr{'pkcs12 file password'}:<input type='password' name='P12_PASS'/></td></tr> + <tr><td><input type='radio' name='AUTH' value='auth-dn' $checked{'AUTH'}{'auth-dn'} $cacrtdisabled /></td> + <td class='base'><hr />$Lang::tr{'vpn auth-dn'}</td></tr> + <tr><td colspan='3' bgcolor='#000000'></td></tr> + <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td> + <td class='base'><hr />$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'users email'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'users department'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'city'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'state or province'}:</td> + <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'country'}:</td> + <td class='base'><select name='CERT_COUNTRY' $cakeydisabled> +END +; + foreach my $country (sort keys %{Countries::countries}) { + print "\t\t\t<option value='$Countries::countries{$country}'"; + if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) { + print " selected='selected'"; + } + print ">$country</option>\n"; + } + print <<END + </select></td></tr> + + <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> + <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td> + <td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr> + <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}&nbsp;($Lang::tr{'confirmation'}):&nbsp;<img src='/blob.gif' alt='*' /></td> + <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr> + </table> +END +; + &Header::closebox(); } - print <<END - </select></td></tr>

- <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'vpn subjectaltname'} (subjectAltName=email:*,URI:*,DNS:*,RID:*)</td> - <td class='base' nowrap='nowrap'><input type='text' name='SUBJECTALTNAME' value='$cgiparams{'SUBJECTALTNAME'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td> - <td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr> - <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}&nbsp;($Lang::tr{'confirmation'}):&nbsp;<img src='/blob.gif' alt='*' /></td> - <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr> - </table> -END - ; - &Header::closebox(); - } - - print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />"; - if ($cgiparams{'KEY'}) { - print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />"; - } - print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>"; - &Header::closebigbox(); - &Header::closepage(); - exit (0); - - VPNCONF_END: + print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />"; + if ($cgiparams{'KEY'}) { + print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />"; + } + print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>"; + &Header::closebigbox(); + &Header::closepage(); + exit (0); + + VPNCONF_END: }

### @@ -2122,303 +2130,288 @@ END ### if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) { - &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - if (! $confighash{$cgiparams{'KEY'}}) { - $errormessage = $Lang::tr{'invalid key'}; - goto ADVANCED_END; - } - - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { - # I didn't read any incompatibilities here.... - #if ($cgiparams{'VHOST'} eq 'on' && $cgiparams{'COMPRESSION'} eq 'on') { - # $errormessage = $Lang::tr{'cannot enable both nat traversal and compression'}; - # goto ADVANCED_ERROR; - #} - my @temp = split('|', $cgiparams{'IKE_ENCRYPTION'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } + &General::readhash("${General::swroot}/vpn/settings", %vpnsettings); + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + if (! $confighash{$cgiparams{'KEY'}}) { + $errormessage = $Lang::tr{'invalid key'}; + goto ADVANCED_END; + } + + if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { + my @temp = split('|', $cgiparams{'IKE_ENCRYPTION'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('|', $cgiparams{'IKE_INTEGRITY'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('|', $cgiparams{'IKE_GROUPTYPE'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for ike lifetime'}; + goto ADVANCED_ERROR; + } + if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) { + $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'}; + goto ADVANCED_ERROR; + } + @temp = split('|', $cgiparams{'ESP_ENCRYPTION'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('|', $cgiparams{'ESP_INTEGRITY'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + @temp = split('|', $cgiparams{'ESP_GROUPTYPE'}); + if ($#temp < 0) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + foreach my $val (@temp) { + if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + } + if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for esp keylife'}; + goto ADVANCED_ERROR; + } + if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) { + $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'}; + goto ADVANCED_ERROR; + } + + if (($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || + ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || + ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || + ($cgiparams{'PFS'} !~ /^(|on|off)$/)) { + $errormessage = $Lang::tr{'invalid input'}; + goto ADVANCED_ERROR; + } + + if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for dpd delay'}; + goto ADVANCED_ERROR; + } + + if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { + $errormessage = $Lang::tr{'invalid input for dpd timeout'}; + goto ADVANCED_ERROR; + } + + $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'}; + $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'}; + $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'}; + $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'}; + $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'}; + $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'}; + $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'}; + $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'}; + $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'}; + $confighash{$cgiparams{'KEY'}}[12] = 'off'; #$cgiparams{'AGGRMODE'}; + $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'}; + $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; + $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; + $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'}; + $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; + $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; + $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'}; + &General::writehasharray("${General::swroot}/vpn/config", %confighash); + &writeipsecfiles(); + if (&vpnenabled) { + system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); + sleep $sleepDelay; + } + goto ADVANCED_END; + } else { + $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; + $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; + $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; + $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; + $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; + $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; + $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; + if ($cgiparams{'ESP_GROUPTYPE'} eq "") { + $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; + } + $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; + $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; + $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; + $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + + if (!$cgiparams{'DPD_DELAY'}) { + $cgiparams{'DPD_DELAY'} = 30; + } + + if (!$cgiparams{'DPD_TIMEOUT'}) { + $cgiparams{'DPD_TIMEOUT'} = 120; + } } + + ADVANCED_ERROR: + $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; + $checked{'IKE_ENCRYPTION'}{'3des'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; + $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; + my @temp = split('|', $cgiparams{'IKE_ENCRYPTION'}); + foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } + $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; + $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; + $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; + $checked{'IKE_INTEGRITY'}{'sha'} = ''; + $checked{'IKE_INTEGRITY'}{'md5'} = ''; + $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('|', $cgiparams{'IKE_INTEGRITY'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(sha2_(512|384|256)|sha|md5|aesxcbc)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } + foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'IKE_GROUPTYPE'}{'768'} = ''; + $checked{'IKE_GROUPTYPE'}{'1024'} = ''; + $checked{'IKE_GROUPTYPE'}{'1536'} = ''; + $checked{'IKE_GROUPTYPE'}{'2048'} = ''; + $checked{'IKE_GROUPTYPE'}{'3072'} = ''; + $checked{'IKE_GROUPTYPE'}{'4096'} = ''; + $checked{'IKE_GROUPTYPE'}{'6144'} = ''; + $checked{'IKE_GROUPTYPE'}{'8192'} = ''; @temp = split('|', $cgiparams{'IKE_GROUPTYPE'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'IKE_LIFETIME'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for ike lifetime'}; - goto ADVANCED_ERROR; - } - if ($cgiparams{'IKE_LIFETIME'} < 1 || $cgiparams{'IKE_LIFETIME'} > 8) { - $errormessage = $Lang::tr{'ike lifetime should be between 1 and 8 hours'}; - goto ADVANCED_ERROR; - } + foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; } + + # 768 is not supported by strongswan + $checked{'IKE_GROUPTYPE'}{'768'} = ''; + + $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; + $checked{'ESP_ENCRYPTION'}{'3des'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; + $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; @temp = split('|', $cgiparams{'ESP_ENCRYPTION'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(aes(256|192|128)(gcm(128|96|64))?|3des|camellia(256|192|128))$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } + foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } + $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; + $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; + $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; + $checked{'ESP_INTEGRITY'}{'sha1'} = ''; + $checked{'ESP_INTEGRITY'}{'md5'} = ''; + $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; @temp = split('|', $cgiparams{'ESP_INTEGRITY'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(sha2_(512|384|256)|sha1|md5|aesxcbc)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } + foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } + $checked{'ESP_GROUPTYPE'}{'768'} = ''; + $checked{'ESP_GROUPTYPE'}{'1024'} = ''; + $checked{'ESP_GROUPTYPE'}{'1536'} = ''; + $checked{'ESP_GROUPTYPE'}{'2048'} = ''; + $checked{'ESP_GROUPTYPE'}{'3072'} = ''; + $checked{'ESP_GROUPTYPE'}{'4096'} = ''; + $checked{'ESP_GROUPTYPE'}{'6144'} = ''; + $checked{'ESP_GROUPTYPE'}{'8192'} = ''; + $checked{'ESP_GROUPTYPE'}{'none'} = ''; @temp = split('|', $cgiparams{'ESP_GROUPTYPE'}); - if ($#temp < 0) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - foreach my $val (@temp) { - if ($val !~ /^(e521|e384|e256|e224|e192|e512bp|e384bp|e256bp|e224bp|1024|1536|2048|2048s256|2048s224|2048s160|3072|4096|6144|8192|none)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'ESP_KEYLIFE'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for esp keylife'}; - goto ADVANCED_ERROR; - } - if ($cgiparams{'ESP_KEYLIFE'} < 1 || $cgiparams{'ESP_KEYLIFE'} > 24) { - $errormessage = $Lang::tr{'esp keylife should be between 1 and 24 hours'}; - goto ADVANCED_ERROR; - } - - if ( - ($cgiparams{'COMPRESSION'} !~ /^(|on|off)$/) || - ($cgiparams{'FORCE_MOBIKE'} !~ /^(|on|off)$/) || - ($cgiparams{'ONLY_PROPOSED'} !~ /^(|on|off)$/) || - ($cgiparams{'PFS'} !~ /^(|on|off)$/) || - ($cgiparams{'VHOST'} !~ /^(|on|off)$/) - ){ - $errormessage = $Lang::tr{'invalid input'}; - goto ADVANCED_ERROR; - } - - if ($cgiparams{'DPD_DELAY'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for dpd delay'}; - goto ADVANCED_ERROR; - } - - if ($cgiparams{'DPD_TIMEOUT'} !~ /^\d+$/) { - $errormessage = $Lang::tr{'invalid input for dpd timeout'}; - goto ADVANCED_ERROR; - } - - $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'IKE_VERSION'}; - $confighash{$cgiparams{'KEY'}}[18] = $cgiparams{'IKE_ENCRYPTION'}; - $confighash{$cgiparams{'KEY'}}[19] = $cgiparams{'IKE_INTEGRITY'}; - $confighash{$cgiparams{'KEY'}}[20] = $cgiparams{'IKE_GROUPTYPE'}; - $confighash{$cgiparams{'KEY'}}[16] = $cgiparams{'IKE_LIFETIME'}; - $confighash{$cgiparams{'KEY'}}[21] = $cgiparams{'ESP_ENCRYPTION'}; - $confighash{$cgiparams{'KEY'}}[22] = $cgiparams{'ESP_INTEGRITY'}; - $confighash{$cgiparams{'KEY'}}[23] = $cgiparams{'ESP_GROUPTYPE'}; - $confighash{$cgiparams{'KEY'}}[17] = $cgiparams{'ESP_KEYLIFE'}; - $confighash{$cgiparams{'KEY'}}[12] = 'off'; #$cgiparams{'AGGRMODE'}; - $confighash{$cgiparams{'KEY'}}[13] = $cgiparams{'COMPRESSION'}; - $confighash{$cgiparams{'KEY'}}[24] = $cgiparams{'ONLY_PROPOSED'}; - $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'PFS'}; - $confighash{$cgiparams{'KEY'}}[14] = $cgiparams{'VHOST'}; - $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'DPD_ACTION'}; - $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'DPD_TIMEOUT'}; - $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'DPD_DELAY'}; - $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'FORCE_MOBIKE'}; - &General::writehasharray("${General::swroot}/vpn/config", %confighash); - &writeipsecfiles(); - if (&vpnenabled) { - system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); - sleep $sleepDelay; - } - goto ADVANCED_END; - } else { - $cgiparams{'IKE_VERSION'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'IKE_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[18]; - $cgiparams{'IKE_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[19]; - $cgiparams{'IKE_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[20]; - $cgiparams{'IKE_LIFETIME'} = $confighash{$cgiparams{'KEY'}}[16]; - $cgiparams{'ESP_ENCRYPTION'} = $confighash{$cgiparams{'KEY'}}[21]; - $cgiparams{'ESP_INTEGRITY'} = $confighash{$cgiparams{'KEY'}}[22]; - $cgiparams{'ESP_GROUPTYPE'} = $confighash{$cgiparams{'KEY'}}[23]; - if ($cgiparams{'ESP_GROUPTYPE'} eq "") { - $cgiparams{'ESP_GROUPTYPE'} = $cgiparams{'IKE_GROUPTYPE'}; - } - $cgiparams{'ESP_KEYLIFE'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'COMPRESSION'} = $confighash{$cgiparams{'KEY'}}[13]; - $cgiparams{'ONLY_PROPOSED'} = $confighash{$cgiparams{'KEY'}}[24]; - $cgiparams{'PFS'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'VHOST'} = $confighash{$cgiparams{'KEY'}}[14]; - $cgiparams{'DPD_ACTION'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'DPD_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'DPD_DELAY'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'FORCE_MOBIKE'} = $confighash{$cgiparams{'KEY'}}[32]; + foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; }

- if (!$cgiparams{'DPD_DELAY'}) { - $cgiparams{'DPD_DELAY'} = 30; - } + $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ; + $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ; + $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ; + $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ;

- if (!$cgiparams{'DPD_TIMEOUT'}) { - $cgiparams{'DPD_TIMEOUT'} = 120; - } + $selected{'IKE_VERSION'}{'ikev1'} = ''; + $selected{'IKE_VERSION'}{'ikev2'} = ''; + $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'";

- if ($confighash{$cgiparams{'KEY'}}[3] eq 'net' || $confighash{$cgiparams{'KEY'}}[10]) { - $cgiparams{'VHOST'} = 'off'; - } - } - - ADVANCED_ERROR: - $checked{'IKE_ENCRYPTION'}{'aes256'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes256gcm128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192gcm128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128gcm128'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes256gcm96'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192gcm96'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128gcm96'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes256gcm64'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes192gcm64'} = ''; - $checked{'IKE_ENCRYPTION'}{'aes128gcm64'} = ''; - $checked{'IKE_ENCRYPTION'}{'3des'} = ''; - $checked{'IKE_ENCRYPTION'}{'camellia256'} = ''; - $checked{'IKE_ENCRYPTION'}{'camellia192'} = ''; - $checked{'IKE_ENCRYPTION'}{'camellia128'} = ''; - my @temp = split('|', $cgiparams{'IKE_ENCRYPTION'}); - foreach my $key (@temp) {$checked{'IKE_ENCRYPTION'}{$key} = "selected='selected'"; } - $checked{'IKE_INTEGRITY'}{'sha2_512'} = ''; - $checked{'IKE_INTEGRITY'}{'sha2_384'} = ''; - $checked{'IKE_INTEGRITY'}{'sha2_256'} = ''; - $checked{'IKE_INTEGRITY'}{'sha'} = ''; - $checked{'IKE_INTEGRITY'}{'md5'} = ''; - $checked{'IKE_INTEGRITY'}{'aesxcbc'} = ''; - @temp = split('|', $cgiparams{'IKE_INTEGRITY'}); - foreach my $key (@temp) {$checked{'IKE_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'IKE_GROUPTYPE'}{'768'} = ''; - $checked{'IKE_GROUPTYPE'}{'1024'} = ''; - $checked{'IKE_GROUPTYPE'}{'1536'} = ''; - $checked{'IKE_GROUPTYPE'}{'2048'} = ''; - $checked{'IKE_GROUPTYPE'}{'3072'} = ''; - $checked{'IKE_GROUPTYPE'}{'4096'} = ''; - $checked{'IKE_GROUPTYPE'}{'6144'} = ''; - $checked{'IKE_GROUPTYPE'}{'8192'} = ''; - @temp = split('|', $cgiparams{'IKE_GROUPTYPE'}); - foreach my $key (@temp) {$checked{'IKE_GROUPTYPE'}{$key} = "selected='selected'"; } - - # 768 is not supported by strongswan - $checked{'IKE_GROUPTYPE'}{'768'} = ''; - - $checked{'ESP_ENCRYPTION'}{'aes256'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256gcm128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192gcm128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128gcm128'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256gcm96'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192gcm96'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128gcm96'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes256gcm64'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes192gcm64'} = ''; - $checked{'ESP_ENCRYPTION'}{'aes128gcm64'} = ''; - $checked{'ESP_ENCRYPTION'}{'3des'} = ''; - $checked{'ESP_ENCRYPTION'}{'camellia256'} = ''; - $checked{'ESP_ENCRYPTION'}{'camellia192'} = ''; - $checked{'ESP_ENCRYPTION'}{'camellia128'} = ''; - @temp = split('|', $cgiparams{'ESP_ENCRYPTION'}); - foreach my $key (@temp) {$checked{'ESP_ENCRYPTION'}{$key} = "selected='selected'"; } - $checked{'ESP_INTEGRITY'}{'sha2_512'} = ''; - $checked{'ESP_INTEGRITY'}{'sha2_384'} = ''; - $checked{'ESP_INTEGRITY'}{'sha2_256'} = ''; - $checked{'ESP_INTEGRITY'}{'sha1'} = ''; - $checked{'ESP_INTEGRITY'}{'md5'} = ''; - $checked{'ESP_INTEGRITY'}{'aesxcbc'} = ''; - @temp = split('|', $cgiparams{'ESP_INTEGRITY'}); - foreach my $key (@temp) {$checked{'ESP_INTEGRITY'}{$key} = "selected='selected'"; } - $checked{'ESP_GROUPTYPE'}{'768'} = ''; - $checked{'ESP_GROUPTYPE'}{'1024'} = ''; - $checked{'ESP_GROUPTYPE'}{'1536'} = ''; - $checked{'ESP_GROUPTYPE'}{'2048'} = ''; - $checked{'ESP_GROUPTYPE'}{'3072'} = ''; - $checked{'ESP_GROUPTYPE'}{'4096'} = ''; - $checked{'ESP_GROUPTYPE'}{'6144'} = ''; - $checked{'ESP_GROUPTYPE'}{'8192'} = ''; - $checked{'ESP_GROUPTYPE'}{'none'} = ''; - @temp = split('|', $cgiparams{'ESP_GROUPTYPE'}); - foreach my $key (@temp) {$checked{'ESP_GROUPTYPE'}{$key} = "selected='selected'"; } - - $checked{'COMPRESSION'} = $cgiparams{'COMPRESSION'} eq 'on' ? "checked='checked'" : '' ; - $checked{'FORCE_MOBIKE'} = $cgiparams{'FORCE_MOBIKE'} eq 'on' ? "checked='checked'" : '' ; - $checked{'ONLY_PROPOSED'} = $cgiparams{'ONLY_PROPOSED'} eq 'on' ? "checked='checked'" : '' ; - $checked{'PFS'} = $cgiparams{'PFS'} eq 'on' ? "checked='checked'" : '' ; - $checked{'VHOST'} = $cgiparams{'VHOST'} eq 'on' ? "checked='checked'" : '' ; - - $selected{'IKE_VERSION'}{'ikev1'} = ''; - $selected{'IKE_VERSION'}{'ikev2'} = ''; - $selected{'IKE_VERSION'}{$cgiparams{'IKE_VERSION'}} = "selected='selected'"; - - $selected{'DPD_ACTION'}{'clear'} = ''; - $selected{'DPD_ACTION'}{'hold'} = ''; - $selected{'DPD_ACTION'}{'restart'} = ''; - $selected{'DPD_ACTION'}{'none'} = ''; - $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'"; - - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage"; - print "&nbsp;</class>"; - &Header::closebox(); - } + $selected{'DPD_ACTION'}{'clear'} = ''; + $selected{'DPD_ACTION'}{'hold'} = ''; + $selected{'DPD_ACTION'}{'restart'} = ''; + $selected{'DPD_ACTION'}{'none'} = ''; + $selected{'DPD_ACTION'}{$cgiparams{'DPD_ACTION'}} = "selected='selected'";

- if ($warnmessage) { - &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); - print "<class name='base'>$warnmessage"; - print "&nbsp;</class>"; - &Header::closebox(); - } + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage"; + print "&nbsp;</class>"; + &Header::closebox(); + }

- &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); - print <<EOF - <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ADVANCED' value='yes' /> - <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + if ($warnmessage) { + &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); + print "<class name='base'>$warnmessage"; + print "&nbsp;</class>"; + &Header::closebox(); + }

- <table width='100%'> + &Header::openbox('100%', 'left', "$Lang::tr{'advanced'}:"); + print <<EOF + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ADVANCED' value='yes' /> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + + <table width='100%'> <thead> <tr> <th width="15%"></th> @@ -2564,14 +2557,14 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || </td> </tr> </tbody> - </table> + </table>

<br><br>

<h2>$Lang::tr{'dead peer detection'}</h2>

- <table width="100%"> - <tr> + <table width="100%"> + <tr> <td width="15%">$Lang::tr{'dpd action'}:</td> <td> <select name='DPD_ACTION'> @@ -2594,11 +2587,11 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || <input type='text' name='DPD_DELAY' size='5' value='$cgiparams{'DPD_DELAY'}' /> </td> </tr> - </table> + </table>

- <hr> + <hr>

- <table width="100%"> + <table width="100%"> <tr> <td> <label> @@ -2632,18 +2625,9 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || </td> </tr> EOF - ; - if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { - print "<tr><td><input type='hidden' name='VHOST' value='off' /></td></tr>"; - } elsif ($confighash{$cgiparams{'KEY'}}[10]) { - print "<tr><td><label><input type='checkbox' name='VHOST' $checked{'VHOST'} disabled='disabled' />"; - print " $Lang::tr{'vpn vhost'}</label></td></tr>"; - } else { - print "<tr><td><label><input type='checkbox' name='VHOST' $checked{'VHOST'} />"; - print " $Lang::tr{'vpn vhost'}</label></td></tr>"; - } - - print <<EOF; +; + + print <<EOF; <tr> <td align='left' colspan='1'><img src='/blob.gif' align='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td> <td align='right' colspan='2'> @@ -2651,58 +2635,58 @@ EOF <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /> </td> </tr> - </table></form> + </table></form> EOF

- &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit(0);

- ADVANCED_END: + ADVANCED_END: }

### ### Default status page ### - %cgiparams = (); - %cahash = (); - %confighash = (); - &General::readhash("${General::swroot}/vpn/settings", %cgiparams); - &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); - &General::readhasharray("${General::swroot}/vpn/config", %confighash); - $cgiparams{'CA_NAME'} = ''; - - my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; - - # suggest a default name for this side - if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { - if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = <IPADDR>; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; - if ($cgiparams{'VPN_IP'} eq '') { - $cgiparams{'VPN_IP'} = $ipaddr; - } - } - } - # no IP found, use %defaultroute - $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); - - $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); - $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; - - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ipsec'}, 1, ''); - &Header::openbigbox('100%', 'left', '', $errormessage); - - if ($errormessage) { - &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); - print "<class name='base'>$errormessage\n"; - print "&nbsp;</class>\n"; - &Header::closebox(); - } + %cgiparams = (); + %cahash = (); + %confighash = (); + &General::readhash("${General::swroot}/vpn/settings", %cgiparams); + &General::readhasharray("${General::swroot}/vpn/caconfig", %cahash); + &General::readhasharray("${General::swroot}/vpn/config", %confighash); + $cgiparams{'CA_NAME'} = ''; + + my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`; + + # suggest a default name for this side + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { + if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { + my $ipaddr = <IPADDR>; + close IPADDR; + chomp ($ipaddr); + $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/./, $ipaddr)), 2))[0]; + if ($cgiparams{'VPN_IP'} eq '') { + $cgiparams{'VPN_IP'} = $ipaddr; + } + } + } + # no IP found, use %defaultroute + $cgiparams{'VPN_IP'} ='%defaultroute' if ($cgiparams{'VPN_IP'} eq ''); + + $cgiparams{'VPN_DELAYED_START'} = 0 if (! defined ($cgiparams{'VPN_DELAYED_START'})); + $checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : ''; + + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ipsec'}, 1, ''); + &Header::openbigbox('100%', 'left', '', $errormessage); + + if ($errormessage) { + &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); + print "<class name='base'>$errormessage\n"; + print "&nbsp;</class>\n"; + &Header::closebox(); + }

if ($warnmessage) { &Header::openbox('100%', 'left', $Lang::tr{'warning messages'}); @@ -2714,61 +2698,61 @@ EOF exit 0; }

- &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); - print <<END - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%'> - <tr> + &Header::openbox('100%', 'left', $Lang::tr{'global settings'}); + print <<END + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%'> + <tr> <td width='20%' class='base' nowrap='nowrap'>$Lang::tr{'vpn red name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> <td width='20%'><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' /></td> <td width='20%' class='base'>$Lang::tr{'enabled'}<input type='checkbox' name='ENABLED' $checked{'ENABLED'} /></td> - </tr> + </tr> END - ; +; print <<END - <tr> - <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}:&nbsp;<img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td> + <tr> + <td class='base' nowrap='nowrap'>$Lang::tr{'vpn delayed start'}:&nbsp;<img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' /></td> <td ><input type='text' name='VPN_DELAYED_START' value='$cgiparams{'VPN_DELAYED_START'}' /></td> - </tr> - <tr> - <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td> + </tr> + <tr> + <td class='base' nowrap='nowrap'>$Lang::tr{'host to net vpn'}:</td> <td ><input type='text' name='RW_NET' value='$cgiparams{'RW_NET'}' /></td> - </tr> + </tr> </table> <br> <hr /> <table width='100%'> <tr> - <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td> - <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> + <td class='base' valign='top'><img src='/blob.gif' alt='*' /></td> + <td width='70%' class='base' valign='top'>$Lang::tr{'required field'}</td><td width='30%' align='right' class='base'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td> </tr> <tr> - <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' />&nbsp;</td> - <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td> - <td></td> + <td class='base' valign='top' nowrap='nowrap'><img src='/blob.gif' alt='*' /><img src='/blob.gif' alt='*' />&nbsp;</td> + <td class='base'> <font class='base'>$Lang::tr{'vpn delayed start help'}</font></td> + <td></td> </tr> </table> END -; - print "</form>"; - &Header::closebox(); - - &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'}); - print <<END - <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> - <tr> +; + print "</form>"; + &Header::closebox(); + + &Header::openbox('100%', 'left', $Lang::tr{'connection status and controlc'}); + print <<END + <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> + <tr> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th> <th width='22%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='23%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></th> <th width='30%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> <th class='boldbase' align='center' colspan='6'><b>$Lang::tr{'action'}</b></th> - </tr> + </tr> END - ; - my $id = 0; - my $gif; - foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { +; + my $id = 0; + my $gif; + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }

if ($id % 2) { @@ -2781,302 +2765,304 @@ END print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>"; print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") $confighash{$key}[29]</td>"; if ($confighash{$key}[2] eq '%auth-dn') { - print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>"; + print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[9]</td>"; } elsif ($confighash{$key}[4] eq 'cert') { - print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; + print "<td align='left' nowrap='nowrap' $col>$confighash{$key}[2]</td>"; } else { - print "<td align='left' $col>&nbsp;</td>"; + print "<td align='left' $col>&nbsp;</td>"; } print "<td align='center' $col>$confighash{$key}[25]</td>"; my $col1="bgcolor='${Header::colourred}'"; # get real state my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; foreach my $line (@status) { - if (($line =~ /"$confighash{$key}[1]".*IPsec SA established/) || - ($line =~ /$confighash{$key}[1]{.*INSTALLED/)) - { - $col1="bgcolor='${Header::colourgreen}'"; - $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; - } - } - # move to blueif really down + if (($line =~ /"$confighash{$key}[1]".*IPsec SA established/) || + ($line =~ /$confighash{$key}[1]{.*INSTALLED/)) { + $col1="bgcolor='${Header::colourgreen}'"; + $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>"; + } + } + # move to blue if really down if ($confighash{$key}[0] eq 'off' && $col1 =~ /${Header::colourred}/ ) { $col1="bgcolor='${Header::colourblue}'"; - $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; + $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>"; } print <<END <td align='center' $col1>$active</td> <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'restart'}' src='/images/reload.gif' alt='$Lang::tr{'restart'}' title='$Lang::tr{'restart'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'restart'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td> END - ; +; if (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { - print <<END - <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> + print <<END + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' /> <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' /> <input type='hidden' name='KEY' value='$key' /> - </form> - </td> + </form> + </td> END - ; } else { - print "<td width='2%' $col>&nbsp;</td>"; +; + } else { + print "<td width='2%' $col>&nbsp;</td>"; } - if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { - print <<END - <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> + if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/certs/$confighash{$key}[1].p12") { + print <<END + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' /> <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' /> <input type='hidden' name='KEY' value='$key' /> - </form> + </form> </td> END - ; } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { - print <<END - <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> +; + } elsif (($confighash{$key}[4] eq 'cert') && ($confighash{$key}[2] ne '%auth-dn')) { + print <<END + <td align='center' $col> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' /> <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' /> <input type='hidden' name='KEY' value='$key' /> - </form> + </form> </td> END - ; } else { - print "<td width='2%' $col>&nbsp;</td>"; +; + } else { + print "<td width='2%' $col>&nbsp;</td>"; } print <<END <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td>

<td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> - <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td> <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' /> - <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' /> + <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> </td> </tr> END - ; +; $id++; - } - print "</table>"; - - # If the config file contains entries, print Key to action icons - if ( $id ) { - print <<END - <table> - <tr> - <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td> - <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> - <td class='base'>$Lang::tr{'click to disable'}</td> - <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> - <td class='base'>$Lang::tr{'show certificate'}</td> - <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> - <td class='base'>$Lang::tr{'edit'}</td> - <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> - <td class='base'>$Lang::tr{'remove'}</td> - </tr> - <tr> - <td>&nbsp; </td> - <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td> - <td class='base'>$Lang::tr{'click to enable'}</td> - <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='?FLOPPY' /></td> - <td class='base'>$Lang::tr{'download certificate'}</td> - <td>&nbsp; &nbsp; <img src='/images/reload.gif' alt='?RELOAD'/></td> - <td class='base'>$Lang::tr{'restart'}</td> - </tr> - </table> + } + print "</table>"; + + # If the config file contains entries, print Key to action icons + if ( $id ) { + print <<END + <table> + <tr> + <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td> + <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td> + <td class='base'>$Lang::tr{'click to disable'}</td> + <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> + <td class='base'>$Lang::tr{'show certificate'}</td> + <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td> + <td class='base'>$Lang::tr{'edit'}</td> + <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td> + <td class='base'>$Lang::tr{'remove'}</td> + </tr> + <tr> + <td>&nbsp; </td> + <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td> + <td class='base'>$Lang::tr{'click to enable'}</td> + <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='?FLOPPY' /></td> + <td class='base'>$Lang::tr{'download certificate'}</td> + <td>&nbsp; &nbsp; <img src='/images/reload.gif' alt='?RELOAD'/></td> + <td class='base'>$Lang::tr{'restart'}</td> + </tr> + </table> END - ; - } +; + }

- print <<END - <table width='100%'> - <tr><td align='right' colspan='9'> + print <<END + <table width='100%'> + <tr><td align='right' colspan='9'> <form method='post' action='$ENV{'SCRIPT_NAME'}'> <input type='submit' name='ACTION' value='$Lang::tr{'add'}' /> </form> - </td></tr> - </table> + </td></tr> + </table> END - ; - &Header::closebox(); +; + &Header::closebox();

- &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}"); - print <<EOF - <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> - <tr> + &Header::openbox('100%', 'left', "$Lang::tr{'certificate authorities'}"); + print <<EOF + <table width='100%' cellspacing='1' cellpadding='0' class='tbl'> + <tr> <th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th> <th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th> <th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th> - </tr> + </tr> EOF - ; - my $col1="bgcolor='$color{'color22'}'"; +; + my $col1="bgcolor='$color{'color22'}'"; my $col2="bgcolor='$color{'color20'}'"; - if (-f "${General::swroot}/ca/cacert.pem") { - my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem")); - print <<END - <tr> - <td class='base' $col1>$Lang::tr{'root certificate'}</td> - <td class='base' $col1>$casubject</td> - <td width='3%' align='center' $col1> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' /> - <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' /> - </form> - </td> - <td width='3%' align='center' $col1> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' /> - </form> - </td> - <td width='4%' $col1>&nbsp;</td></tr> + if (-f "${General::swroot}/ca/cacert.pem") { + my $casubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/cacert.pem")); + print <<END + <tr> + <td class='base' $col1>$Lang::tr{'root certificate'}</td> + <td class='base' $col1>$casubject</td> + <td width='3%' align='center' $col1> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' /> + <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' /> + </form> + </td> + <td width='3%' align='center' $col1> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' /> + </form> + </td> + <td width='4%' $col1>&nbsp;</td></tr> END - ; - } else { - # display rootcert generation buttons - print <<END - <tr> - <td class='base' $col1>$Lang::tr{'root certificate'}:</td> - <td class='base' $col1>$Lang::tr{'not present'}</td> - <td colspan='3' $col1>&nbsp;</td></tr> +; + } else { + # display rootcert generation buttons + print <<END + <tr> + <td class='base' $col1>$Lang::tr{'root certificate'}:</td> + <td class='base' $col1>$Lang::tr{'not present'}</td> + <td colspan='3' $col1>&nbsp;</td></tr> END - ; - } +; + }

- if (-f "${General::swroot}/certs/hostcert.pem") { - my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem")); + if (-f "${General::swroot}/certs/hostcert.pem") { + my $hostsubject = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/certs/hostcert.pem"));

- print <<END - <tr> - <td class='base' $col2>$Lang::tr{'host certificate'}</td> - <td class='base' $col2>$hostsubject</td> - <td width='3%' align='center' $col2> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' /> - <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' /> - </form> - </td> - <td width='3%' align='center' $col2> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" /> - <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" /> - </form> - </td> - <td width='4%' $col2>&nbsp;</td></tr> + print <<END + <tr> + <td class='base' $col2>$Lang::tr{'host certificate'}</td> + <td class='base' $col2>$hostsubject</td> + <td width='3%' align='center' $col2> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' /> + <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' /> + </form> + </td> + <td width='3%' align='center' $col2> + <form method='post' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/floppy.gif' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" /> + <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" /> + </form> + </td> + <td width='4%' $col2>&nbsp;</td></tr> END - ; - } else { - # Nothing - print <<END - <tr> - <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td> - <td class='base' $col2>$Lang::tr{'not present'}</td> - <td colspan='3' $col2>&nbsp;</td></tr> +; + } else { + # Nothing + print <<END + <tr> + <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td> + <td class='base' $col2>$Lang::tr{'not present'}</td> + <td colspan='3' $col2>&nbsp;</td></tr> END - ; - } - +; + } + my $rowcolor = 0; if (keys %cahash > 0) { foreach my $key (keys %cahash) { - if ($rowcolor++ % 2) { - print "<tr>"; - $col="bgcolor='$color{'color20'}'"; - } else { - print "<tr>"; - $col="bgcolor='$color{'color22'}'"; - } - print "<td class='base' $col>$cahash{$key}[0]</td>\n"; - print "<td class='base' $col>$cahash{$key}[1]</td>\n"; - print <<END - <td align='center' $col> - <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> - </td> - <td align='center' $col> - <form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'> - <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' /> - <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> - </td> - <td align='center' $col> - <form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> - <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' /> - <input type='hidden' name='KEY' value='$key' /> - </form> - </td> - </tr> + if ($rowcolor++ % 2) { + print "<tr>"; + $col="bgcolor='$color{'color20'}'"; + } else { + print "<tr>"; + $col="bgcolor='$color{'color22'}'"; + } + print "<td class='base' $col>$cahash{$key}[0]</td>\n"; + print "<td class='base' $col>$cahash{$key}[1]</td>\n"; + print <<END + <td align='center' $col> + <form method='post' name='cafrm${key}a' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> + </td> + <td align='center' $col> + <form method='post' name='cafrm${key}b' action='$ENV{'SCRIPT_NAME'}'> + <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> + </td> + <td align='center' $col> + <form method='post' name='cafrm${key}c' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' /> + <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' /> + <input type='hidden' name='KEY' value='$key' /> + </form> + </td> + </tr> END - ; +; + } } - } - print "</table>"; - - # If the file contains entries, print Key to action icons - if ( -f "${General::swroot}/ca/cacert.pem") { - print <<END - <table><tr> - <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td> - <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> - <td class='base'>$Lang::tr{'show certificate'}</td> - <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td> - <td class='base'>$Lang::tr{'download certificate'}</td> - </tr></table> + print "</table>"; + + # If the file contains entries, print Key to action icons + if ( -f "${General::swroot}/ca/cacert.pem") { + print <<END + <table><tr> + <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td> + <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td> + <td class='base'>$Lang::tr{'show certificate'}</td> + <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td> + <td class='base'>$Lang::tr{'download certificate'}</td> + </tr></table> END - ; - } - my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>"; - print <<END - <br> - <hr /> - <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> - <table width='100%' border='0' cellspacing='1' cellpadding='0'> - $createCA - <tr> +; + } + my $createCA = -f "${General::swroot}/ca/cacert.pem" ? '' : "<tr><td colspan='3'></td><td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td></tr>"; + print <<END + <br> + <hr /> + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <table width='100%' border='0' cellspacing='1' cellpadding='0'> + $createCA + <tr> <td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}:&nbsp;<img src='/blob.gif' alt='*' /></td> <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' /> </td> <td nowrap='nowrap'><input type='file' name='FH' size='30' /></td> <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td> - </tr> - <tr> + </tr> + <tr> <td colspan='3'>$Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}:</td> <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></td> - </tr> - </table> - </form> + </tr> + </table> + </form> END - ; - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); +; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage();

sub array_unique($) { my $array = shift; @@ -3132,3 +3118,16 @@ sub make_algos($$$$$) {

return &array_unique(@algos); } + +sub make_subnets($) { + my $subnets = shift; + + my @nets = split(/|/, $subnets); + my @cidr_nets = (); + foreach my $net (@nets) { + my $cidr_net = &General::ipcidr($net); + push(@cidr_nets, $cidr_net); + } + + return join(",", @cidr_nets); +} diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c21bac5..2bca854 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -699,6 +699,11 @@ 'dhcp bootp pxe data' => 'Geben Sie optionale BOOTP PXE-Daten für diese feste Zuordnung ein', 'dhcp configuration' => 'DHCP-Konfiguration', 'dhcp create fixed leases' => 'Feste Zuordnungen erzeugen', +'dhcp dns enable update' => 'DNS-Update (RFC2136) aktivieren:', +'dhcp dns key name' => 'Schlüsselname:', +'dhcp dns update' => 'DNS-Update', +'dhcp dns update algo' => 'Algorithmus:', +'dhcp dns update secret' => 'Schlüssel:', 'dhcp fixed lease err1' => 'Für eine feste Zuordnung müssen entweder die Hardware Adresse (MAC-Adresse) oder der Hostname oder beide eingetragen werden.', 'dhcp fixed lease help1' => 'IP Adressen können als FQDN angegeben werden.', 'dhcp mode' => 'DHCP', @@ -726,6 +731,7 @@ 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen', 'display webinterface effects' => 'Überblendeffekte einschalten', 'dl client arch' => 'Client Paket herunterladen (zip)', +'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches', 'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt; Starte DMZ-Schlupfloch neu', @@ -844,7 +850,7 @@ 'email mailpass' => 'Passwort', 'email mailport' => 'Mailserver-Port', 'email mailrcpt' => 'E-Mail-Empfänger', -'email mailsender' => 'E-Mail Absender', +'email mailsender' => 'E-Mail-Absender', 'email mailuser' => 'Benutzername', 'email server can not be empty' => 'Email-Server darf nicht leer sein', 'email settings' => 'Mailversand', @@ -2569,11 +2575,11 @@ 'urlfilter whitelist always allowed' => 'Erlaube angepasste Whitelist für gesperrte Clients', 'urlfilter wrong filetype' => 'Die Datei hat nicht die Erweiterung .tar.gz', 'use' => 'Einsatz', -'use a pre-shared key' => 'Verwenden Sie einen Pre-Shared Schlüssel:', +'use a pre-shared key' => 'Pre-Shared-Key verwenden:', 'use dov' => 'DOV (Data Over Voice) benutzen:', 'use ibod' => 'Bandwidth on Demand (iBOD) benutzen:', 'use ipfire red ip' => 'Die klassische ROTE IP, welche von IPFire während der Verbindung verwendet wird', -'use only proposed settings' => 'Verwenden Sie nur die vorgeschlagenen Einstellungen.', +'use only proposed settings' => 'Nur die vorgeschlagenen Einstellungen verwenden', 'used' => 'Benutzt', 'used memory' => 'Genutzter Speicher', 'used swap' => 'Genutzter Swap', @@ -2620,7 +2626,6 @@ 'vpn statistic n2n' => 'OpenVPN-Netz-zu-Netz-Statistik', 'vpn statistic rw' => 'OpenVPN-Roadwarrior-Statistik', 'vpn subjectaltname' => 'Subjekt Alternativer Name', -'vpn vhost' => 'Roadwarrior virtuelle IP (manchmal auch Inner-IP genannt)', 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).', 'waiting to synchronize clock' => 'Bitte warten, die Uhr wird synchronisiert', 'warn when traffic reaches' => 'Warnen wenn Traffic x % erreicht', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 783fd0f..4c52392 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -722,6 +722,11 @@ 'dhcp bootp pxe data' => 'Enter optional bootp pxe data for this fixed lease', 'dhcp configuration' => 'DHCP configuration', 'dhcp create fixed leases' => 'Create fixed leases', +'dhcp dns enable update' => 'Enable DNS Update (RFC2136):', +'dhcp dns key name' => 'Key Name:', +'dhcp dns update' => 'DNS Update', +'dhcp dns update algo' => 'Algorithm:', +'dhcp dns update secret' => 'Secret:', 'dhcp fixed lease err1' => 'For a fix lease you have to enter the MAC address or the hostname, or you enter both.', 'dhcp fixed lease help1' => 'IP Addresses might be entered as FQDN', 'dhcp mode' => 'DHCP', @@ -751,6 +756,7 @@ 'display traffic at home' => 'Display calculated traffic on startpage', 'display webinterface effects' => 'Activate effects', 'dl client arch' => 'Download Client Package (zip)', +'dl client arch insecure' => 'Download insecure Client Package (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'DMZ pinhole configuration', 'dmz pinhole rule added' => 'DMZ pinhole rule added; restarting DMZ pinhole', @@ -2664,7 +2670,6 @@ 'vpn statistic n2n' => 'OpenVPN Net-to-Net Statistics', 'vpn statistic rw' => 'OpenVPN Roadwarrior Statistics', 'vpn subjectaltname' => 'Subject Alt Name', -'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', 'waiting to synchronize clock' => 'Waiting to synchronize clock', 'warn when traffic reaches' => 'Warn when traffic reaches x %', diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl index c0422b1..e24e75e 100644 --- a/langs/es/cgi-bin/es.pl +++ b/langs/es/cgi-bin/es.pl @@ -2107,7 +2107,6 @@ 'vpn red name' => 'Dirección IP pública o FQDN para la interfaz RED o<%defaultroute>', 'vpn remote id' => 'ID Remoto', 'vpn subjectaltname' => 'Nombre alternativo en Asunto', -'vpn vhost' => 'IP virtual Roadwarris (también referida como ip-interior)', 'vpn watch' => 'Reinciar vpn net-to-net cuando la ip remota cambie (dyndns)', 'waiting to synchronize clock' => 'Esperando sincronización con el reloj', 'warn when traffic reaches' => 'Advertir cuando el tráfico alcance x %', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index 43e69a7..0d173ae 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -2111,7 +2111,6 @@ 'vpn red name' => 'IP publique ou nom de domaine complet pour l'interface ROUGE ou <%defaultroute>', 'vpn remote id' => 'ID Distant', 'vpn subjectaltname' => 'Subject Alt Name', -'vpn vhost' => 'IP Virtuelle Roadwarrior (parfois appelée Inner-IP)', 'vpn watch' => 'Redémarrer net-to-net VPN si IP hôte distant change (dyndns).', 'waiting to synchronize clock' => 'Attendre la synchronisation de l'horloge', 'warn when traffic reaches' => 'Avertir lorsque le trafic atteint x %', diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl index 0623bd5..950f700 100644 --- a/langs/it/cgi-bin/it.pl +++ b/langs/it/cgi-bin/it.pl @@ -2586,7 +2586,6 @@ 'vpn red name' => 'IP pubblico o il nome di dominio completo per l'interfaccia RED o <%defaultroute>', 'vpn remote id' => 'Remote ID', 'vpn subjectaltname' => 'Subject Alt Name', -'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)', 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).', 'waiting to synchronize clock' => 'Waiting to synchronize clock', 'warn when traffic reaches' => 'Warn when traffic reaches x %', diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl index f748b74..9d90a08 100644 --- a/langs/nl/cgi-bin/nl.pl +++ b/langs/nl/cgi-bin/nl.pl @@ -2529,7 +2529,6 @@ 'vpn red name' => 'Publiek IP of FQDN voor RODE interface of <%defaultroute>', 'vpn remote id' => 'Remote ID', 'vpn subjectaltname' => 'Onderwerp Alt Naam', -'vpn vhost' => 'Roadwarrior virtual IP (Ook wel Inner-IP genoemd)', 'vpn watch' => 'Herstart net-to-net vpn wanneer remote peer IP verandert (dyndns).', 'waiting to synchronize clock' => 'Wachten op synchronisatie van klok', 'warn when traffic reaches' => 'Waarschuw wanneer verkeer x % bereikt', diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl index 30cc81e..47abf2c 100644 --- a/langs/pl/cgi-bin/pl.pl +++ b/langs/pl/cgi-bin/pl.pl @@ -2120,7 +2120,6 @@ 'vpn red name' => 'Publiczne IP lub FQDN interfejsu RED lub <%defaultroute>', 'vpn remote id' => 'Zdalne ID', 'vpn subjectaltname' => 'Subject Alt Name', -'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)', 'vpn watch' => 'Uruchom ponownie vpn net-to-net kiedy zmieni się IP zdalnej końcówki (dyndns).', 'waiting to synchronize clock' => 'Oczekiwanie na synchronizację zegara', 'warn when traffic reaches' => 'Ostrzegaj kiedy ruch osiągnie x %', diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl index 8cf985b..6840f81 100644 --- a/langs/ru/cgi-bin/ru.pl +++ b/langs/ru/cgi-bin/ru.pl @@ -2115,7 +2115,6 @@ 'vpn red name' => 'Внешний IP или FQDN для RED интерфейса или <%defaultroute>', 'vpn remote id' => 'Удалённый ID', 'vpn subjectaltname' => 'Subject Alt Name', -'vpn vhost' => 'Roadwarrior virtual IP (sometimes called Inner-IP)', 'vpn watch' => 'Перезапускать net-to-net vpn когда удалённый IP меняется (dyndns).', 'waiting to synchronize clock' => 'Ожидается синхронизация', 'warn when traffic reaches' => 'Предупреждать когда трафик возрастает до x %', diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl index 5426a06..782bc00 100644 --- a/langs/tr/cgi-bin/tr.pl +++ b/langs/tr/cgi-bin/tr.pl @@ -2609,7 +2609,6 @@ 'vpn red name' => 'KIRMIZI arabirim veya <%defaultroute> için gerçek IP veya FQDN', 'vpn remote id' => 'Uzak kimlik (ID)', 'vpn subjectaltname' => 'Alternatif konu adı', -'vpn vhost' => 'Roadwarrior sanal IP (bazen iç IP olarakta adlandırılır)', 'vpn watch' => 'Karşı eş IP değiştirdiğinde (dyndns) ağdan-ağa VPN bağlantısını yeniden başlat. Bu DPD ye yardımcı olur.', 'waiting to synchronize clock' => 'Saat eşleştirmesi bekleniyor', 'warn when traffic reaches' => 'Trafik x % değere ulaştığında uyar', diff --git a/lfs/asterisk b/lfs/asterisk index 154fe77..91dc4fd 100755 --- a/lfs/asterisk +++ b/lfs/asterisk @@ -20,7 +20,7 @@

include Config

-VER = 11.18.0 +VER = 11.20.0

THISAPP = asterisk-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -28,7 +28,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = asterisk -PAK_VER = 17 +PAK_VER = 18

DEPS = "libsrtp"

@@ -46,7 +46,7 @@ asterisk-extra-sounds-en-gsm-1.4.15.tar.gz = $(URL_IPFIRE)/asterisk-extra-sounds asterisk-moh-opsound-gsm-2.03.tar.gz = $(URL_IPFIRE)/asterisk-moh-opsound-gsm-2.03.tar.gz asterisk-1.4-de-prompts.tar.gz = $(URL_IPFIRE)/asterisk-1.4-de-prompts.tar.gz

-$(DL_FILE)_MD5 = 3ddb42b54db200faccd68906df210a40 +$(DL_FILE)_MD5 = d15759b05862250073e2708394ad2f4c asterisk-extra-sounds-en-gsm-1.4.15.tar.gz_MD5 = 5099fc65f49008e33ba7fb043a4ec995 asterisk-moh-opsound-gsm-2.03.tar.gz_MD5 = 09066f55f1358f298bc1a6e4678a3ddf asterisk-1.4-de-prompts.tar.gz_MD5 = 626a2b95071a5505851e43874dfbfd5c diff --git a/lfs/backports b/lfs/backports index 0bc6447..ab6fbdc 100644 --- a/lfs/backports +++ b/lfs/backports @@ -82,9 +82,13 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/backports-3.18.1-1-ipfire-build.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/backports-3.18.1-1-grsecurity.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/backports-3.18.1-1-add_usbnet_modules.patch +ifeq "$(MACHINE)" "x86_64" + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/backports-3.18.1-1_no_dma_sgtable_on_x86_64.patch +endif

# DVB patches cd $(DIR_APP) && patch -Np2 < $(DIR_SRC)/src/patches/v4l-dvb_fix_tua6034_pll.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.10-dvb_tevi_s482.patch

# Wlan patches cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/compat-drivers-3.8.3-ath_ignore_eeprom_regdomain.patch diff --git a/lfs/ddns b/lfs/ddns index b692d9a..750c728 100644 --- a/lfs/ddns +++ b/lfs/ddns @@ -24,7 +24,7 @@

include Config

-VER = 008 +VER = 009

THISAPP = ddns-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = f8b9441f18c2667d440d5416ec2e0011 +$(DL_FILE)_MD5 = 31f949d9f417ee7f801cf8aac849a92e

install : $(TARGET)

diff --git a/lfs/dma b/lfs/dma index 977efc8..cf264ea 100644 --- a/lfs/dma +++ b/lfs/dma @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2011 IPFire Team info@ipfire.org # +# Copyright (C) 2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 0.9.1 +VER = 0.10

THISAPP = dma-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 56afaf438ba34d4ff9c8879dc29a16b1 +$(DL_FILE)_MD5 = 91f521b0749e16f5d78e139e717245ea

install : $(TARGET)

diff --git a/lfs/e1000e b/lfs/e1000e index d23369c..5f284ce 100644 --- a/lfs/e1000e +++ b/lfs/e1000e @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -27,7 +27,7 @@ include Config VERSUFIX = ipfire$(KCFG) MODPATH = /lib/modules/$(KVER)-$(VERSUFIX)/kernel/drivers/net/ethernet/intel/e1000e

-VER = 3.1.0.2 +VER = 3.2.7.1

THISAPP = e1000e-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -43,7 +43,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = b8d770160691edd247a90070f45642ce +$(DL_FILE)_MD5 = 8f62c220d763fa92473365e40d55bd86

install : $(TARGET)

diff --git a/lfs/igb b/lfs/igb index fa762e0..85d228c 100644 --- a/lfs/igb +++ b/lfs/igb @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -27,7 +27,7 @@ include Config VERSUFIX = ipfire$(KCFG) MODPATH = /lib/modules/$(KVER)-$(VERSUFIX)/kernel/drivers/net/ethernet/intel/igb/

-VER = 5.2.9.3 +VER = 5.3.3.2

THISAPP = igb-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -43,7 +43,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 814395d3b76090f378002bddecfd2dfc +$(DL_FILE)_MD5 = 2d753a0bd03c949ec08d68c27540044d

install : $(TARGET)

diff --git a/lfs/initscripts b/lfs/initscripts index 4005941..141fd66 100755 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -177,7 +177,6 @@ $(TARGET) : ln -sf ../init.d/localnet /etc/rc.d/rcsysinit.d/S80localnet ln -sf ../init.d/firewall /etc/rc.d/rcsysinit.d/S85firewall ln -sf ../init.d/network-trigger /etc/rc.d/rcsysinit.d/S90network-trigger - ln -sf ../init.d/network-vlans /etc/rc.d/rcsysinit.d/S91network-vlans ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S92rngd ln -sf ../init.d/wlanclient /etc/rc.d/rc0.d/K82wlanclient ln -sf ../init.d/wlanclient /etc/rc.d/rc3.d/S19wlanclient diff --git a/lfs/ipset b/lfs/ipset new file mode 100644 index 0000000..254b1ec --- /dev/null +++ b/lfs/ipset @@ -0,0 +1,87 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2015 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 6.26 + +THISAPP = ipset-$(VER) +DL_FILE = $(THISAPP).tar.bz2 +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 5ec4e79053a30fb6d72e0549d7d09343 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && ./autogen.sh + cd $(DIR_APP) && KSOURCEDIR=/usr/src/linux KBUILDDIR=/usr/src/linux ./configure \ + --prefix=/usr \ + --disable-static + + # Add configuration directory + -mkdir -pv /etc/ipset + chmod 750 /etc/ipset + chown root:root /etc/ipset + + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/krb5 b/lfs/krb5 index 68be46c..3011982 100644 --- a/lfs/krb5 +++ b/lfs/krb5 @@ -93,8 +93,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-dns-for-realm \ CPPFLAGS="-I/usr/include/et"

- cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) - cd $(DIR_APP) && make $(EXTRA_INSTALL) install + cd $(DIR_APP) && make #$(MAKETUNING) + cd $(DIR_APP) && make install

for LIB in gssapi_krb5 gssrpc k5crypto kadm5clnt kadm5srv \ kdb5 kdb_ldap krad krb5 krb5support verto; do \ diff --git a/lfs/linux b/lfs/linux index b603b48..da0578a 100644 --- a/lfs/linux +++ b/lfs/linux @@ -24,11 +24,11 @@

include Config

-VER = 3.14.43 +VER = 3.14.57 +RPI_PATCHES = 3.14.57-grsec-ipfire1 +A7M_PATCHES = 3.14.57-grsec-ipfire1 +GRS_PATCHES = grsecurity-3.1ipfire-3.14.57-v1.patch.xz

-RPI_PATCHES = 3.14.43-grsec-ipfire1 -A7M_PATCHES = 3.14.43-grsec-ipfire1 -GRS_PATCHES = grsecurity-3.1-3.14.43-201505191737.patch.xz

THISAPP = linux-$(VER) DL_FILE = linux-$(VER).tar.xz @@ -37,7 +37,7 @@ DIR_APP = $(DIR_SRC)/$(THISAPP) CFLAGS = CXXFLAGS =

-PAK_VER = 62 +PAK_VER = 63 DEPS = ""

KERNEL_ARCH = $(MACHINE) @@ -83,10 +83,10 @@ rpi-patches-$(RPI_PATCHES).patch.xz = $(URL_IPFIRE)/rpi-patches-$(RPI_PATCHES). arm7-multi-patches-$(A7M_PATCHES).patch.xz = $(URL_IPFIRE)/arm7-multi-patches-$(A7M_PATCHES).patch.xz $(GRS_PATCHES) = $(URL_IPFIRE)/$(GRS_PATCHES)

-$(DL_FILE)_MD5 = 927f2343f298dfe531a8371f81356e53 -rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = b5ba925ae1d4279d3ac0f03c27dd16eb -arm7-multi-patches-$(A7M_PATCHES).patch.xz_MD5 = b9c696fe4f22b05b81c168329ca33c94 -$(GRS_PATCHES)_MD5 = 35e26b1214b1b0b515ee67e5ce50633a +$(DL_FILE)_MD5 = b7e254c83a0324852c8ccc4ed1b5377d +rpi-patches-$(RPI_PATCHES).patch.xz_MD5 = 4ab53e184441c895adf318a1c2874d43 +arm7-multi-patches-$(A7M_PATCHES).patch.xz_MD5 = f29bd5c156384b0a4bb7c6e2c973ea06 +$(GRS_PATCHES)_MD5 = de603c5cb2e38ee308f1647ad3bd24cf

install : $(TARGET)

@@ -167,14 +167,15 @@ endif # r8169 L23 patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14.32-r8169_disable_L23.patch

- # SuperSSpeed S238 NOTRIM patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14.43_SuperSSpeed_NOTRIM.patch # update the queued trim blacklist from kernel 4.2rc1 cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14.43_new_qtrim_blacklist.patch

# HyperV 2008 patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14.x-hyperv-2008-fix.patch

+ # fix empty symbol crc's + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-genksyms_fix_typeof_handling.patch + ifeq "$(KCFG)" "-kirkwood" cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.10.10-mv_cesa_disable_failing_hmac_sha1.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/linux-3.14.22-kirkwood_legacy_boot.patch diff --git a/lfs/lzo b/lfs/lzo index 19ad090..2afc89f 100644 --- a/lfs/lzo +++ b/lfs/lzo @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 2.06 +VER = 2.09

THISAPP = lzo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 95380bd4081f85ef08c5209f4107e9f8 +$(DL_FILE)_MD5 = c7ffc9a103afe2d1bba0b015e7aa887f

install : $(TARGET)

@@ -70,9 +70,14 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lzo-2.06-CVE-2014-4607.patch - cd $(DIR_APP) && ./configure --prefix=/usr --enable-shared + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --enable-shared \ + --disable-static \ + --docdir=/usr/share/doc/lzo-2.09 + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/monit b/lfs/monit index 92e0760..453ad03 100644 --- a/lfs/monit +++ b/lfs/monit @@ -24,7 +24,7 @@

include Config

-VER = 5.12.1 +VER = 5.14

THISAPP = monit-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = monit -PAK_VER = 6 +PAK_VER = 7

DEPS = ""

@@ -44,7 +44,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 1ffde79207270925f6f7df787d19100a +$(DL_FILE)_MD5 = 1b3ae1eb08a0914402a8764e5689c1c5

install : $(TARGET)

diff --git a/lfs/ntp b/lfs/ntp index c3d8d58..c03624e 100644 --- a/lfs/ntp +++ b/lfs/ntp @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2015 Michael Tremer & Christian Schmidt # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 4.2.8 +VER = 4.2.8p4

THISAPP = ntp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = 6972a626be6150db8cfbd0b63d8719e7 +$(DL_FILE)_MD5 = 6af96862b09324a8ef965ca76b759c8b

install : $(TARGET)

diff --git a/lfs/openvmtools b/lfs/openvmtools index baae595..d12a63c 100644 --- a/lfs/openvmtools +++ b/lfs/openvmtools @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -31,7 +31,7 @@ DL_FILE = $(THISAPP).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) -SUP_ARCH = i586 +SUP_ARCH = x86_64 i586 PROG = openvmtools PAK_VER = 1

diff --git a/lfs/snort b/lfs/snort index 77d3b0d..148f539 100644 --- a/lfs/snort +++ b/lfs/snort @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2015 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 2.9.7.0 +VER = 2.9.7.6

THISAPP = snort-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -36,11 +36,11 @@ TARGET = $(DIR_INFO)/$(THISAPP) # Top-level Rules ###############################################################################

-objects = $(DL_FILE) +objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = c2a45bc56441ee9456478f219dd8d1e2 +$(DL_FILE)_MD5 = 65349f3272c4de5b3210f77f1f7ab0e6

install : $(TARGET)

@@ -72,18 +72,14 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) $(DIR_SRC)/snort* && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure \ --prefix=/usr \ - --disable-nls \ --sysconfdir=/etc/snort \ --target=i586 \ --enable-linux-smp-stats \ - --enable-smb-alerts \ --enable-gre --enable-mpls \ --enable-targetbased \ - --enable-decoder-preprocessor-rules \ --enable-ppm \ --enable-non-ether-decoders \ --enable-perfprofiling \ - --enable-zlib \ --enable-active-response \ --enable-normalizer \ --enable-reload \ diff --git a/lfs/sox b/lfs/sox index 378429d..de60c90 100644 --- a/lfs/sox +++ b/lfs/sox @@ -79,7 +79,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && ./configure --prefix=/usr --disable-alsa-dsp --disable-oss-dsp \ --disable-sun-audio --disable-mad - cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) + cd $(DIR_APP) && make $(EXTRA_MAKE) cd $(DIR_APP) && make install @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/stage2 b/lfs/stage2 index 3244fa3..ec5d117 100644 --- a/lfs/stage2 +++ b/lfs/stage2 @@ -114,6 +114,8 @@ endif /usr/lib/firewall/rules.pl install -m 644 $(DIR_SRC)/config/firewall/firewall-lib.pl \ /usr/lib/firewall/firewall-lib.pl + install -m 755 $(DIR_SRC)/config/firewall/ipsec-block \ + /usr/lib/firewall/ipsec-block

# Nobody user -mkdir -p /home/nobody diff --git a/lfs/strongswan b/lfs/strongswan index b4438dd..2a181a3 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@

include Config

-VER = 5.3.2 +VER = 5.3.3

THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_MD5 = fab014be1477ef4ebf9a765e10f8802c +$(DL_FILE)_MD5 = 5a25f3d1c31a77ef44d14a2e7b3eaad0

install : $(TARGET)

@@ -99,6 +99,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-eap-peap \ --enable-eap-mschapv2 \ --enable-eap-identity \ + --disable-chapoly \ $(CONFIGURE_OPTIONS)

cd $(DIR_APP) && make $(MAKETUNING) diff --git a/lfs/tor b/lfs/tor index c21e4b4..91eab09 100644 --- a/lfs/tor +++ b/lfs/tor @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 14 +PAK_VER = 15

DEPS = ""

diff --git a/lfs/udev b/lfs/udev index e58839c..7d5bdbc 100644 --- a/lfs/udev +++ b/lfs/udev @@ -107,6 +107,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install network rules. install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-rename \ /lib/udev/network-hotplug-rename + install -v -m 755 $(DIR_SRC)/config/udev/network-hotplug-vlan \ + /lib/udev/network-hotplug-vlan install -v -m 644 $(DIR_SRC)/config/udev/60-net.rules \ /lib/udev/rules.d

diff --git a/make.sh b/make.sh index f307258..ff67537 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.17" # Version number -CORE="94" # Core Level (Filename) -PAKFIRE_CORE="94" # Core Level (PAKFIRE) +CORE="95" # Core Level (Filename) +PAKFIRE_CORE="95" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir @@ -421,7 +421,7 @@ buildipfire() { case "${TARGET_ARCH}" in x86_64) ipfiremake linux KCFG="" -# ipfiremake backports KCFG="" + ipfiremake backports KCFG="" ipfiremake cryptodev KCFG="" ipfiremake e1000e KCFG="" ipfiremake igb KCFG="" @@ -435,7 +435,7 @@ buildipfire() { ipfiremake backports KCFG="-pae" ipfiremake cryptodev KCFG="-pae" ipfiremake e1000e KCFG="-pae" -# ipfiremake igb KCFG="-pae" + ipfiremake igb KCFG="-pae" ipfiremake ixgbe KCFG="-pae" ipfiremake xtables-addons KCFG="-pae" ipfiremake linux-initrd KCFG="-pae" @@ -445,7 +445,7 @@ buildipfire() { ipfiremake backports KCFG="" ipfiremake cryptodev KCFG="" ipfiremake e1000e KCFG="" -# ipfiremake igb KCFG="" + ipfiremake igb KCFG="" ipfiremake ixgbe KCFG="" ipfiremake xtables-addons KCFG="" ipfiremake linux-initrd KCFG="" @@ -464,7 +464,7 @@ buildipfire() { ipfiremake backports KCFG="-multi" ipfiremake cryptodev KCFG="-multi" ipfiremake e1000e KCFG="-multi" -# ipfiremake igb KCFG="-multi" + ipfiremake igb KCFG="-multi" ipfiremake ixgbe KCFG="-multi" ipfiremake xtables-addons KCFG="-multi" ipfiremake linux-initrd KCFG="-multi" @@ -474,7 +474,7 @@ buildipfire() { ipfiremake backports KCFG="-kirkwood" ipfiremake cryptodev KCFG="-kirkwood" ipfiremake e1000e KCFG="-kirkwood" -# ipfiremake igb KCFG="-kirkwood" + ipfiremake igb KCFG="-kirkwood" ipfiremake ixgbe KCFG="-kirkwood" ipfiremake xtables-addons KCFG="-kirkwood" ipfiremake linux-initrd KCFG="-kirkwood" @@ -850,6 +850,7 @@ buildipfire() { ipfiremake perl-Text-CSV_XS ipfiremake swconfig ipfiremake haproxy + ipfiremake ipset }

buildinstaller() { diff --git a/src/initscripts/init.d/dnsmasq b/src/initscripts/init.d/dnsmasq index ce7689f..059ffac 100644 --- a/src/initscripts/init.d/dnsmasq +++ b/src/initscripts/init.d/dnsmasq @@ -55,6 +55,21 @@ function dns_forward_args() { echo "${cmdline}" }

+function dns_leases_args() { + eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings) + + # If the DHCP server is enabled and DNS Update (RFC2136) is + # enabled, too, we won't overlay the internal domain with + # the dynamic/static leases. + + if ([ "${ENABLE_GREEN}" = "on" ] || [ "${ENABLE_BLUE}" = "on" ]) \ + && [ "${DNS_UPDATE_ENABLED}" = "on" ]; then + return + fi + + echo "-l /var/state/dhcp/dhcpd.leases" +} + case "${1}" in start) # kill already running copy of dnsmasq... @@ -65,7 +80,10 @@ case "${1}" in eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) ARGS="$CUSTOM_ARGS" [ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s $DOMAIN_NAME_GREEN" - + + # DHCP configuration + ARGS="${ARGS} $(dns_leases_args)" + echo > /var/ipfire/red/resolv.conf # Clear it if [ -e "/var/ipfire/red/dns1" ]; then DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null) @@ -95,7 +113,7 @@ case "${1}" in ARGS="${ARGS} --cache-size=${CACHE_SIZE}" fi

- loadproc /usr/sbin/dnsmasq -l /var/state/dhcp/dhcpd.leases $ARGS + loadproc /usr/sbin/dnsmasq ${ARGS} if [ "${SHOW_SRV}" -eq 1 ] && [ "${DNS1}" != "" -o "${DNS2}" != "" ]; then boot_mesg "Using DNS server(s): ${DNS1} ${DNS2}" diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 8ca02bc..6622071 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -115,6 +115,11 @@ iptables_init() { iptables -A INPUT -j GUARDIAN iptables -A FORWARD -j GUARDIAN

+ # Block non-established IPsec networks + iptables -N IPSECBLOCK + iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK + iptables -A OUTPUT -m policy --dir out --pol none -j IPSECBLOCK + # Block OpenVPN transfer networks iptables -N OVPNBLOCK iptables -A INPUT -i tun+ -j OVPNBLOCK @@ -270,6 +275,9 @@ iptables_init() { iptables -t nat -N REDNAT iptables -t nat -A POSTROUTING -j REDNAT

+ # Populate IPsec block chain + /usr/lib/firewall/ipsec-block + # Apply OpenVPN firewall rules /usr/local/bin/openvpnctrl --firewall-rules

@@ -344,8 +352,8 @@ iptables_red_up() { # Outgoing masquerading (don't masqerade IPSEC (mark 50)) iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN

- if [ "$IFACE" = "$GREEN_DEV" ]; then - MASQUERADE_GREEN="off" + if [ "${IFACE}" = "${GREEN_DEV}" ]; then + iptables -t nat -A REDNAT -i "${GREEN_DEV}" -o "${IFACE}" -j RETURN fi

local NO_MASQ_NETWORKS diff --git a/src/initscripts/init.d/network-vlans b/src/initscripts/init.d/network-vlans deleted file mode 100644 index a6a75c3..0000000 --- a/src/initscripts/init.d/network-vlans +++ /dev/null @@ -1,113 +0,0 @@ -#!/bin/bash -############################################################################ -# # -# This file is part of the IPFire Firewall. # -# # -# IPFire is free software; you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation; either version 2 of the License, or # -# (at your option) any later version. # -# # -# IPFire is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with IPFire; if not, write to the Free Software # -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# # -# Copyright (C) 2012 IPFire Team info@ipfire.org # -# # -############################################################################ - -CONFIG_FILE="/var/ipfire/ethernet/vlans" - -# Skip immediately if no configuration file has been found. -[ -e "${CONFIG_FILE}" ] || exit 0 - -eval $(/usr/local/bin/readhash ${CONFIG_FILE}) - -# This is start or stop. -action=${1} - -for interface in green0 red0 blue0 orange0; do - case "${interface}" in - green*) - PARENT_DEV=${GREEN_PARENT_DEV} - VLAN_ID=${GREEN_VLAN_ID} - MAC_ADDRESS=${GREEN_MAC_ADDRESS} - ;; - red*) - PARENT_DEV=${RED_PARENT_DEV} - VLAN_ID=${RED_VLAN_ID} - MAC_ADDRESS=${RED_MAC_ADDRESS} - ;; - blue*) - PARENT_DEV=${BLUE_PARENT_DEV} - VLAN_ID=${BLUE_VLAN_ID} - MAC_ADDRESS=${BLUE_MAC_ADDRESS} - ;; - orange*) - PARENT_DEV=${ORANGE_PARENT_DEV} - VLAN_ID=${ORANGE_VLAN_ID} - MAC_ADDRESS=${ORANGE_MAC_ADDRESS} - ;; - esac - - case "${action}" in - start) - # If no parent device has been configured, we assume - # that this interface is not set up for VLANs and - # silently go on. - [ -z "${PARENT_DEV}" ] && continue - - # Check if the interface does already exists. - # If so, we skip creating it. - if [ -d "/sys/class/net/${interface}" ]; then - echo "Interface ${interface} already exists." >&2 - continue - fi - - # Check if the parent interface exists. - if [ ! -d "/sys/class/net/${PARENT_DEV}" ]; then - echo "${interface}: Parent device is not set or does not exist: ${PARENT_DEV}" >&2 - continue - fi - - if [ -z "${VLAN_ID}" ]; then - echo "${interface}: You did not set the VLAN ID." >&2 - continue - fi - - # Build command line. - command="ip link add link ${PARENT_DEV} name ${interface}" - if [ -n "${MAC_ADDRESS}" ]; then - command="${command} address ${MAC_ADDRESS}" - fi - command="${command} type vlan id ${VLAN_ID}" - - echo "Creating VLAN interface ${interface}..." - ${command} - - # Bring up the parent device. - ip link set ${PARENT_DEV} up - ;; - - stop) - if [ ! -e "/proc/net/vlan/${interface}" ]; then - echo "${interface} is not a VLAN interface. Skipping." - continue - fi - - echo "Removing VLAN interface ${interface}..." - ip link set ${interface} down - ip link delete ${interface} - ;; - - *) - echo "Invalid action: ${action}" - exit 1 - ;; - esac -done diff --git a/src/initscripts/init.d/networking/red.up/99-geoip-database b/src/initscripts/init.d/networking/red.up/99-geoip-database index 4bd3ee2..335006a 100644 --- a/src/initscripts/init.d/networking/red.up/99-geoip-database +++ b/src/initscripts/init.d/networking/red.up/99-geoip-database @@ -17,7 +17,7 @@ done

# Download ruleset if none has been found. if ! ${found}; then - /usr/local/bin/xt_geoip_update >/dev/null 2>&1 + /usr/local/bin/xt_geoip_update >/dev/null 2>&1 & fi

exit 0 diff --git a/src/misc-progs/ipsecctrl.c b/src/misc-progs/ipsecctrl.c index e99202d..7499e94 100644 --- a/src/misc-progs/ipsecctrl.c +++ b/src/misc-progs/ipsecctrl.c @@ -144,6 +144,9 @@ void turn_connection_on(char *name, char *type) { "/usr/sbin/ipsec down %s >/dev/null", name); safe_system(command);

+ // Reload the IPsec block chain + safe_system("/usr/lib/firewall/ipsec-block >/dev/null"); + // Reload the configuration into the daemon (#10339). ipsec_reload();

@@ -302,6 +305,7 @@ int main(int argc, char *argv[]) {

// start the system if ((argc == 2) && strcmp(argv[1], "S") == 0) { + safe_system("/usr/lib/firewall/ipsec-block >/dev/null"); safe_system("/usr/sbin/ipsec restart >/dev/null"); exit(0); } diff --git a/src/patches/backports-3.18.1-1_no_dma_sgtable_on_x86_64.patch b/src/patches/backports-3.18.1-1_no_dma_sgtable_on_x86_64.patch new file mode 100644 index 0000000..5a2d04e --- /dev/null +++ b/src/patches/backports-3.18.1-1_no_dma_sgtable_on_x86_64.patch @@ -0,0 +1,26 @@ +diff -Naur backports-4.1.1-1.org/compat/dma-shared-helpers.c backports-4.1.1-1/compat/dma-shared-helpers.c +--- backports-4.1.1-1.org/compat/dma-shared-helpers.c 2015-07-01 23:10:37.000000000 +0200 ++++ backports-4.1.1-1/compat/dma-shared-helpers.c 2015-09-25 13:29:14.006762269 +0200 +@@ -20,22 +20,3 @@ + #endif /* LINUX_VERSION_CODE <= KERNEL_VERSION(3,6,0) */ + #endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(3,3,0) */ + +-#if RHEL_RELEASE_CODE < RHEL_RELEASE_VERSION(7,0) +-/* +- * Create scatter-list for the already allocated DMA buffer. +- */ +-int dma_common_get_sgtable(struct device *dev, struct sg_table *sgt, +- void *cpu_addr, dma_addr_t handle, size_t size) +-{ +- struct page *page = virt_to_page(cpu_addr); +- int ret; +- +- ret = sg_alloc_table(sgt, 1, GFP_KERNEL); +- if (unlikely(ret)) +- return ret; +- +- sg_set_page(sgt->sgl, page, PAGE_ALIGN(size), 0); +- return 0; +-} +-EXPORT_SYMBOL_GPL(dma_common_get_sgtable); +-#endif /* RHEL_RELEASE_CODE < RHEL_RELEASE_VERSION(7,0) */ diff --git a/src/patches/linux-3.10-dvb_tevi_s482.patch b/src/patches/linux-3.10-dvb_tevi_s482.patch new file mode 100644 index 0000000..fed875d --- /dev/null +++ b/src/patches/linux-3.10-dvb_tevi_s482.patch @@ -0,0 +1,240 @@ +diff --git a/drivers/media/usb/dvb-usb/dw2102.c b/drivers/media/usb/dvb-usb/dw2102.c +index 1a3df10..82d35c6 100644 +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -31,6 +31,9 @@ + #include "m88rs2000.h" + #include "tda18271.h" + #include "cxd2820r.h" ++#include "m88ds3103.h" ++#include "m88ts2022.h" ++ + + /* Max transfer size done by I2C transfer functions */ + #define MAX_XFER_SIZE 64 +@@ -71,6 +74,14 @@ + #define USB_PID_TEVII_S480_2 0xd482 + #endif + ++#ifndef USB_PID_TEVII_S482_1 ++#define USB_PID_TEVII_S482_1 0xd483 ++#endif ++ ++#ifndef USB_PID_TEVII_S482_2 ++#define USB_PID_TEVII_S482_2 0xd484 ++#endif ++ + #ifndef USB_PID_PROF_1100 + #define USB_PID_PROF_1100 0xb012 + #endif +@@ -1117,6 +1128,19 @@ static struct tda18271_config tda18271_config = { + .gate = TDA18271_GATE_DIGITAL, + }; + ++static const struct m88ds3103_config s482_m88ds3103_config = { ++ .i2c_addr = 0x68, ++ .clock = 27000000, ++ .i2c_wr_max = 33, ++ .clock_out = 0, ++ .ts_mode = M88DS3103_TS_CI, ++ .ts_clk = 16000, ++ .ts_clk_pol = 0, ++ .agc = 0x99, ++ .lnb_hv_pol = 1, ++ .lnb_en_pol = 1, ++ }; ++ + static u8 m88rs2000_inittab[] = { + DEMOD_WRITE, 0x9a, 0x30, + DEMOD_WRITE, 0x00, 0x01, +@@ -1386,6 +1410,83 @@ static int su3000_frontend_attach(struct dvb_usb_adapter *d) + return -EIO; + } + ++static int m88ds3103_frontend_attach(struct dvb_usb_adapter *d) ++{ ++ u8 obuf[3] = { 0xe, 0x80, 0 }; ++ u8 ibuf[] = { 0 }; ++ ++ /* demod I2C adapter */ ++ struct i2c_adapter *i2c_adapter; ++ struct i2c_client *client; ++ struct i2c_board_info info; ++ struct m88ts2022_config m88ts2022_config = { ++ .clock = 27000000, ++ }; ++ memset(&info, 0, sizeof(struct i2c_board_info)); ++ if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ err("command 0x0e transfer failed."); ++ ++ obuf[0] = 0xe; ++ obuf[1] = 0x02; ++ obuf[2] = 1; ++ ++ if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ err("command 0x0e transfer failed."); ++ msleep(300); ++ ++ obuf[0] = 0xe; ++ obuf[1] = 0x83; ++ obuf[2] = 0; ++ ++ if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ err("command 0x0e transfer failed."); ++ ++ obuf[0] = 0xe; ++ obuf[1] = 0x83; ++ obuf[2] = 1; ++ ++ if (dvb_usb_generic_rw(d->dev, obuf, 3, ibuf, 1, 0) < 0) ++ err("command 0x0e transfer failed."); ++ ++ obuf[0] = 0x51; ++ ++ if (dvb_usb_generic_rw(d->dev, obuf, 1, ibuf, 1, 0) < 0) ++ err("command 0x51 transfer failed."); ++ d->fe_adap[0].fe = dvb_attach(m88ds3103_attach, ++ &s482_m88ds3103_config, ++ &d->dev->i2c_adap, ++ &i2c_adapter); ++ if (d->fe_adap[0].fe == NULL) ++ return -EIO; ++ /* attach tuner */ ++ m88ts2022_config.fe = d->fe_adap[0].fe; ++ strlcpy(info.type, "m88ts2022", I2C_NAME_SIZE); ++ info.addr = 0x60; ++ info.platform_data = &m88ts2022_config; ++ request_module("m88ts2022"); ++ client = i2c_new_device(i2c_adapter, &info); ++ if (client == NULL || client->dev.driver == NULL) { ++ dvb_frontend_detach(d->fe_adap[0].fe); ++ goto fail_attach; ++ } ++ if (!try_module_get(client->dev.driver->owner)) { ++ i2c_unregister_device(client); ++ dvb_frontend_detach(d->fe_adap[0].fe); ++ goto fail_attach; ++ } ++ info("attached m88ds3103/m88ts2022!\n"); ++ ++ /* delegate signal strength measurement to tuner */ ++ ++ d->fe_adap[0].fe->ops.read_signal_strength = ++ d->fe_adap[0].fe->ops.tuner_ops.get_rf_strength; ++ ++ return 0; ++fail_attach: ++ info("Failed to attach m88ds3103/m88ts2022!\n"); ++ return -EIO; ++} ++ + static int t220_frontend_attach(struct dvb_usb_adapter *d) + { + u8 obuf[3] = { 0xe, 0x87, 0 }; +@@ -1557,6 +1658,8 @@ enum dw2102_table_entry { + TEVII_S480_2, + X3M_SPC1400HD, + TEVII_S421, ++ TEVII_S482_1, ++ TEVII_S482_2, + TEVII_S632, + TERRATEC_CINERGY_S2_R2, + GOTVIEW_SAT_HD, +@@ -1580,7 +1683,9 @@ static struct usb_device_id dw2102_table[] = { + [TEVII_S480_2] = {USB_DEVICE(0x9022, USB_PID_TEVII_S480_2)}, + [X3M_SPC1400HD] = {USB_DEVICE(0x1f4d, 0x3100)}, + [TEVII_S421] = {USB_DEVICE(0x9022, USB_PID_TEVII_S421)}, +- [TEVII_S632] = {USB_DEVICE(0x9022, USB_PID_TEVII_S632)}, ++ [TEVII_S482_1] = { USB_DEVICE(0x9022, USB_PID_TEVII_S482_1) }, ++ [TEVII_S482_2] = { USB_DEVICE(0x9022, USB_PID_TEVII_S482_2) }, ++ [TEVII_S632] = { USB_DEVICE(0x9022, USB_PID_TEVII_S632) }, + [TERRATEC_CINERGY_S2_R2] = {USB_DEVICE(USB_VID_TERRATEC, 0x00b0)}, + [GOTVIEW_SAT_HD] = {USB_DEVICE(0x1FE1, USB_PID_GOTVIEW_SAT_HD)}, + [GENIATECH_T220] = {USB_DEVICE(0x1f4d, 0xD220)}, +@@ -2012,6 +2117,59 @@ static struct dvb_usb_device_properties su3000_properties = { + } + }; + ++static struct dvb_usb_device_properties m88ds3103_properties = { ++ .caps = DVB_USB_IS_AN_I2C_ADAPTER, ++ .usb_ctrl = DEVICE_SPECIFIC, ++ .size_of_priv = sizeof(struct su3000_state), ++ .power_ctrl = su3000_power_ctrl, ++ .num_adapters = 1, ++ .identify_state = su3000_identify_state, ++ .i2c_algo = &su3000_i2c_algo, ++ ++ .rc.core = { ++ .rc_interval = 150, ++ .rc_codes = RC_MAP_TEVII_NEC, ++ .module_name = "dw2102", ++ .allowed_protos = RC_BIT_NEC, ++ .rc_query = dw2102_rc_query, ++ }, ++ ++ .read_mac_address = su3000_read_mac_address, ++ ++ .generic_bulk_ctrl_endpoint = 0x01, ++ ++ .adapter = { ++ { ++ .num_frontends = 1, ++ .fe = { { ++ .streaming_ctrl = su3000_streaming_ctrl, ++ .frontend_attach = m88ds3103_frontend_attach, ++ .stream = { ++ .type = USB_BULK, ++ .count = 8, ++ .endpoint = 0x82, ++ .u = { ++ .bulk = { ++ .buffersize = 4096, ++ } ++ } ++ } ++ } }, ++ } ++ }, ++ .num_device_descs = 2, ++ .devices = { ++ { "TeVii S482.1 USB", ++ { &dw2102_table[TEVII_S482_1], NULL }, ++ { NULL }, ++ }, ++ { "TeVii S482.2 USB", ++ { &dw2102_table[TEVII_S482_2], NULL }, ++ { NULL }, ++ }, ++ } ++}; ++ + static struct dvb_usb_device_properties t220_properties = { + .caps = DVB_USB_IS_AN_I2C_ADAPTER, + .usb_ctrl = DEVICE_SPECIFIC, +@@ -2131,11 +2289,13 @@ static int dw2102_probe(struct usb_interface *intf, + 0 == dvb_usb_device_init(intf, p7500, + THIS_MODULE, NULL, adapter_nr) || + 0 == dvb_usb_device_init(intf, s421, +- THIS_MODULE, NULL, adapter_nr) || +- 0 == dvb_usb_device_init(intf, &su3000_properties, +- THIS_MODULE, NULL, adapter_nr) || ++ THIS_MODULE, NULL, adapter_nr) || + 0 == dvb_usb_device_init(intf, &t220_properties, +- THIS_MODULE, NULL, adapter_nr)) ++ THIS_MODULE, NULL, adapter_nr) || ++ 0 == dvb_usb_device_init(intf, &m88ds3103_properties, ++ THIS_MODULE, NULL, adapter_nr) || ++ 0 == dvb_usb_device_init(intf, &su3000_properties, ++ THIS_MODULE, NULL, adapter_nr)) + return 0; + + return -ENODEV; +@@ -2153,7 +2313,7 @@ module_usb_driver(dw2102_driver); + MODULE_AUTHOR("Igor M. Liplianin (c) liplianin@me.by"); + MODULE_DESCRIPTION("Driver for DVBWorld DVB-S 2101, 2102, DVB-S2 2104," + " DVB-C 3101 USB2.0," +- " TeVii S600, S630, S650, S660, S480, S421, S632" ++ " TeVii S600, S630, S650, S660, S480, S482, S421, S632" + " Prof 1100, 7500 USB2.0," + " Geniatech SU3000, T220 devices"); + MODULE_VERSION("0.1"); diff --git a/src/patches/linux-genksyms_fix_typeof_handling.patch b/src/patches/linux-genksyms_fix_typeof_handling.patch new file mode 100644 index 0000000..3cf3403 --- /dev/null +++ b/src/patches/linux-genksyms_fix_typeof_handling.patch @@ -0,0 +1,1360 @@ +From dc53324060f324e8af6867f57bf4891c13c6ef18 Mon Sep 17 00:00:00 2001 +From: Jan Beulich JBeulich@suse.com +Date: Thu, 3 Apr 2014 14:46:37 -0700 +Subject: genksyms: fix typeof() handling + +Recent increased use of typeof() throughout the tree resulted in a +number of symbols (25 in a typical distro config of ours) not getting a +proper CRC calculated for them anymore, due to the parser in genksyms +not coping with several of these uses (interestingly in the majority of +[if not all] cases the problem is due to the use of typeof() in code +preceding a certain export, not in the declaration/definition of the +exported function/object itself; I wasn't able to find a way to address +this more general parser shortcoming). + +The use of parameter_declaration is a little more relaxed than would be +ideal (permitting not just a bare type specification, but also one with +identifier), but since the same code is being passed through an actual +compiler, there's no apparent risk of allowing through any broken code. + +Otoh using parameter_declaration instead of the ad hoc +"decl_specifier_seq '*'" / "decl_specifier_seq" pair allows all types to +be handled rather than just plain ones and pointers to plain ones. + +Signed-off-by: Jan Beulich jbeulich@suse.com +Cc: Michal Marek mmarek@suse.cz +Signed-off-by: Andrew Morton akpm@linux-foundation.org +Signed-off-by: Linus Torvalds torvalds@linux-foundation.org +--- + scripts/genksyms/keywords.gperf | 5 +- + scripts/genksyms/keywords.hash.c_shipped | 133 +++---- + scripts/genksyms/lex.l | 51 ++- + scripts/genksyms/lex.lex.c_shipped | 51 ++- + scripts/genksyms/parse.tab.c_shipped | 608 ++++++++++++++++--------------- + scripts/genksyms/parse.tab.h_shipped | 29 +- + scripts/genksyms/parse.y | 5 +- + 7 files changed, 498 insertions(+), 384 deletions(-) + +diff --git a/scripts/genksyms/keywords.gperf b/scripts/genksyms/keywords.gperf +index 3e77a94..a9096d9 100644 +--- a/scripts/genksyms/keywords.gperf ++++ b/scripts/genksyms/keywords.gperf +@@ -23,6 +23,8 @@ __inline, INLINE_KEYW + __inline__, INLINE_KEYW + __signed, SIGNED_KEYW + __signed__, SIGNED_KEYW ++__typeof, TYPEOF_KEYW ++__typeof__, TYPEOF_KEYW + __volatile, VOLATILE_KEYW + __volatile__, VOLATILE_KEYW + # According to rth, c99 defines _Bool, __restrict, __restrict__, restrict. KAO +@@ -51,9 +53,8 @@ signed, SIGNED_KEYW + static, STATIC_KEYW + struct, STRUCT_KEYW + typedef, TYPEDEF_KEYW ++typeof, TYPEOF_KEYW + union, UNION_KEYW + unsigned, UNSIGNED_KEYW + void, VOID_KEYW + volatile, VOLATILE_KEYW +-typeof, TYPEOF_KEYW +-__typeof__, TYPEOF_KEYW +diff --git a/scripts/genksyms/keywords.hash.c_shipped b/scripts/genksyms/keywords.hash.c_shipped +index 8206260..e9452482 100644 +--- a/scripts/genksyms/keywords.hash.c_shipped ++++ b/scripts/genksyms/keywords.hash.c_shipped +@@ -34,7 +34,7 @@ struct resword; + static const struct resword *is_reserved_word(register const char *str, register unsigned int len); + #line 8 "scripts/genksyms/keywords.gperf" + struct resword { const char *name; int token; }; +-/* maximum key range = 64, duplicates = 0 */ ++/* maximum key range = 98, duplicates = 0 */ + + #ifdef __GNUC__ + __inline +@@ -48,32 +48,32 @@ is_reserved_hash (register const char *str, register unsigned int len) + { + static const unsigned char asso_values[] = + { +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 0, +- 67, 67, 67, 67, 67, 67, 15, 67, 67, 67, +- 0, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 0, 67, 0, 67, 5, +- 25, 20, 15, 30, 67, 15, 67, 67, 10, 0, +- 10, 40, 20, 67, 10, 5, 0, 10, 15, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67, 67, 67, 67, 67, +- 67, 67, 67, 67, 67, 67 ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 0, ++ 101, 101, 101, 101, 101, 101, 15, 101, 101, 101, ++ 0, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 0, 101, 0, 101, 5, ++ 25, 20, 55, 30, 101, 15, 101, 101, 10, 0, ++ 10, 40, 10, 101, 10, 5, 0, 10, 15, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101, 101, 101, 101, 101, ++ 101, 101, 101, 101, 101, 101 + }; + return len + asso_values[(unsigned char)str[2]] + asso_values[(unsigned char)str[0]] + asso_values[(unsigned char)str[len - 1]]; + } +@@ -89,17 +89,17 @@ is_reserved_word (register const char *str, register unsigned int len) + { + enum + { +- TOTAL_KEYWORDS = 45, ++ TOTAL_KEYWORDS = 46, + MIN_WORD_LENGTH = 3, + MAX_WORD_LENGTH = 24, + MIN_HASH_VALUE = 3, +- MAX_HASH_VALUE = 66 ++ MAX_HASH_VALUE = 100 + }; + + static const struct resword wordlist[] = + { + {""}, {""}, {""}, +-#line 33 "scripts/genksyms/keywords.gperf" ++#line 35 "scripts/genksyms/keywords.gperf" + {"asm", ASM_KEYW}, + {""}, + #line 15 "scripts/genksyms/keywords.gperf" +@@ -108,7 +108,7 @@ is_reserved_word (register const char *str, register unsigned int len) + #line 16 "scripts/genksyms/keywords.gperf" + {"__asm__", ASM_KEYW}, + {""}, {""}, +-#line 59 "scripts/genksyms/keywords.gperf" ++#line 27 "scripts/genksyms/keywords.gperf" + {"__typeof__", TYPEOF_KEYW}, + {""}, + #line 19 "scripts/genksyms/keywords.gperf" +@@ -119,31 +119,31 @@ is_reserved_word (register const char *str, register unsigned int len) + {"__const__", CONST_KEYW}, + #line 25 "scripts/genksyms/keywords.gperf" + {"__signed__", SIGNED_KEYW}, +-#line 51 "scripts/genksyms/keywords.gperf" ++#line 53 "scripts/genksyms/keywords.gperf" + {"static", STATIC_KEYW}, + {""}, +-#line 46 "scripts/genksyms/keywords.gperf" ++#line 48 "scripts/genksyms/keywords.gperf" + {"int", INT_KEYW}, +-#line 39 "scripts/genksyms/keywords.gperf" ++#line 41 "scripts/genksyms/keywords.gperf" + {"char", CHAR_KEYW}, +-#line 40 "scripts/genksyms/keywords.gperf" ++#line 42 "scripts/genksyms/keywords.gperf" + {"const", CONST_KEYW}, +-#line 52 "scripts/genksyms/keywords.gperf" ++#line 54 "scripts/genksyms/keywords.gperf" + {"struct", STRUCT_KEYW}, +-#line 31 "scripts/genksyms/keywords.gperf" ++#line 33 "scripts/genksyms/keywords.gperf" + {"__restrict__", RESTRICT_KEYW}, +-#line 32 "scripts/genksyms/keywords.gperf" ++#line 34 "scripts/genksyms/keywords.gperf" + {"restrict", RESTRICT_KEYW}, + #line 12 "scripts/genksyms/keywords.gperf" + {"EXPORT_SYMBOL_GPL_FUTURE", EXPORT_SYMBOL_KEYW}, + #line 23 "scripts/genksyms/keywords.gperf" + {"__inline__", INLINE_KEYW}, + {""}, +-#line 27 "scripts/genksyms/keywords.gperf" ++#line 29 "scripts/genksyms/keywords.gperf" + {"__volatile__", VOLATILE_KEYW}, + #line 10 "scripts/genksyms/keywords.gperf" + {"EXPORT_SYMBOL", EXPORT_SYMBOL_KEYW}, +-#line 30 "scripts/genksyms/keywords.gperf" ++#line 32 "scripts/genksyms/keywords.gperf" + {"_restrict", RESTRICT_KEYW}, + {""}, + #line 17 "scripts/genksyms/keywords.gperf" +@@ -152,56 +152,65 @@ is_reserved_word (register const char *str, register unsigned int len) + {"EXPORT_SYMBOL_GPL", EXPORT_SYMBOL_KEYW}, + #line 21 "scripts/genksyms/keywords.gperf" + {"__extension__", EXTENSION_KEYW}, +-#line 42 "scripts/genksyms/keywords.gperf" ++#line 44 "scripts/genksyms/keywords.gperf" + {"enum", ENUM_KEYW}, + #line 13 "scripts/genksyms/keywords.gperf" + {"EXPORT_UNUSED_SYMBOL", EXPORT_SYMBOL_KEYW}, +-#line 43 "scripts/genksyms/keywords.gperf" ++#line 45 "scripts/genksyms/keywords.gperf" + {"extern", EXTERN_KEYW}, + {""}, + #line 24 "scripts/genksyms/keywords.gperf" + {"__signed", SIGNED_KEYW}, + #line 14 "scripts/genksyms/keywords.gperf" + {"EXPORT_UNUSED_SYMBOL_GPL", EXPORT_SYMBOL_KEYW}, +-#line 54 "scripts/genksyms/keywords.gperf" ++#line 57 "scripts/genksyms/keywords.gperf" + {"union", UNION_KEYW}, +-#line 58 "scripts/genksyms/keywords.gperf" +- {"typeof", TYPEOF_KEYW}, +-#line 53 "scripts/genksyms/keywords.gperf" +- {"typedef", TYPEDEF_KEYW}, ++ {""}, {""}, + #line 22 "scripts/genksyms/keywords.gperf" + {"__inline", INLINE_KEYW}, +-#line 38 "scripts/genksyms/keywords.gperf" ++#line 40 "scripts/genksyms/keywords.gperf" + {"auto", AUTO_KEYW}, +-#line 26 "scripts/genksyms/keywords.gperf" ++#line 28 "scripts/genksyms/keywords.gperf" + {"__volatile", VOLATILE_KEYW}, + {""}, {""}, +-#line 55 "scripts/genksyms/keywords.gperf" ++#line 58 "scripts/genksyms/keywords.gperf" + {"unsigned", UNSIGNED_KEYW}, + {""}, +-#line 49 "scripts/genksyms/keywords.gperf" ++#line 51 "scripts/genksyms/keywords.gperf" + {"short", SHORT_KEYW}, +-#line 45 "scripts/genksyms/keywords.gperf" ++#line 47 "scripts/genksyms/keywords.gperf" + {"inline", INLINE_KEYW}, + {""}, +-#line 57 "scripts/genksyms/keywords.gperf" ++#line 60 "scripts/genksyms/keywords.gperf" + {"volatile", VOLATILE_KEYW}, +-#line 47 "scripts/genksyms/keywords.gperf" ++#line 49 "scripts/genksyms/keywords.gperf" + {"long", LONG_KEYW}, +-#line 29 "scripts/genksyms/keywords.gperf" ++#line 31 "scripts/genksyms/keywords.gperf" + {"_Bool", BOOL_KEYW}, + {""}, {""}, +-#line 48 "scripts/genksyms/keywords.gperf" ++#line 50 "scripts/genksyms/keywords.gperf" + {"register", REGISTER_KEYW}, +-#line 56 "scripts/genksyms/keywords.gperf" ++#line 59 "scripts/genksyms/keywords.gperf" + {"void", VOID_KEYW}, +-#line 44 "scripts/genksyms/keywords.gperf" +- {"float", FLOAT_KEYW}, +-#line 41 "scripts/genksyms/keywords.gperf" ++ {""}, ++#line 43 "scripts/genksyms/keywords.gperf" + {"double", DOUBLE_KEYW}, ++ {""}, ++#line 26 "scripts/genksyms/keywords.gperf" ++ {"__typeof", TYPEOF_KEYW}, ++ {""}, {""}, ++#line 52 "scripts/genksyms/keywords.gperf" ++ {"signed", SIGNED_KEYW}, + {""}, {""}, {""}, {""}, +-#line 50 "scripts/genksyms/keywords.gperf" +- {"signed", SIGNED_KEYW} ++#line 56 "scripts/genksyms/keywords.gperf" ++ {"typeof", TYPEOF_KEYW}, ++#line 55 "scripts/genksyms/keywords.gperf" ++ {"typedef", TYPEDEF_KEYW}, ++ {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, ++ {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, ++ {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, {""}, ++#line 46 "scripts/genksyms/keywords.gperf" ++ {"float", FLOAT_KEYW} + }; + + if (len <= MAX_WORD_LENGTH && len >= MIN_WORD_LENGTH) +diff --git a/scripts/genksyms/lex.l b/scripts/genksyms/lex.l +index f770071..e583565 100644 +--- a/scripts/genksyms/lex.l ++++ b/scripts/genksyms/lex.l +@@ -129,8 +129,9 @@ int + yylex(void) + { + static enum { +- ST_NOTSTARTED, ST_NORMAL, ST_ATTRIBUTE, ST_ASM, ST_BRACKET, ST_BRACE, +- ST_EXPRESSION, ST_TABLE_1, ST_TABLE_2, ST_TABLE_3, ST_TABLE_4, ++ ST_NOTSTARTED, ST_NORMAL, ST_ATTRIBUTE, ST_ASM, ST_TYPEOF, ST_TYPEOF_1, ++ ST_BRACKET, ST_BRACE, ST_EXPRESSION, ++ ST_TABLE_1, ST_TABLE_2, ST_TABLE_3, ST_TABLE_4, + ST_TABLE_5, ST_TABLE_6 + } lexstate = ST_NOTSTARTED; + +@@ -198,6 +199,10 @@ repeat: + lexstate = ST_ASM; + count = 0; + goto repeat; ++ case TYPEOF_KEYW: ++ lexstate = ST_TYPEOF; ++ count = 0; ++ goto repeat; + + case STRUCT_KEYW: + case UNION_KEYW: +@@ -284,6 +289,48 @@ repeat: + } + break; + ++ case ST_TYPEOF: ++ switch (token) ++ { ++ case '(': ++ if ( ++count == 1 ) ++ lexstate = ST_TYPEOF_1; ++ else ++ APP; ++ goto repeat; ++ case ')': ++ APP; ++ if (--count == 0) ++ { ++ lexstate = ST_NORMAL; ++ token = TYPEOF_PHRASE; ++ break; ++ } ++ goto repeat; ++ default: ++ APP; ++ goto repeat; ++ } ++ break; ++ ++ case ST_TYPEOF_1: ++ if (token == IDENT) ++ { ++ if (is_reserved_word(yytext, yyleng) ++ || find_symbol(yytext, SYM_TYPEDEF, 1)) ++ { ++ yyless(0); ++ unput('('); ++ lexstate = ST_NORMAL; ++ token = TYPEOF_KEYW; ++ break; ++ } ++ _APP("(", 1); ++ } ++ APP; ++ lexstate = ST_TYPEOF; ++ goto repeat; ++ + case ST_BRACKET: + APP; + switch (token) +diff --git a/scripts/genksyms/lex.lex.c_shipped b/scripts/genksyms/lex.lex.c_shipped +index 0bf4157..f82740a 100644 +--- a/scripts/genksyms/lex.lex.c_shipped ++++ b/scripts/genksyms/lex.lex.c_shipped +@@ -1938,8 +1938,9 @@ int + yylex(void) + { + static enum { +- ST_NOTSTARTED, ST_NORMAL, ST_ATTRIBUTE, ST_ASM, ST_BRACKET, ST_BRACE, +- ST_EXPRESSION, ST_TABLE_1, ST_TABLE_2, ST_TABLE_3, ST_TABLE_4, ++ ST_NOTSTARTED, ST_NORMAL, ST_ATTRIBUTE, ST_ASM, ST_TYPEOF, ST_TYPEOF_1, ++ ST_BRACKET, ST_BRACE, ST_EXPRESSION, ++ ST_TABLE_1, ST_TABLE_2, ST_TABLE_3, ST_TABLE_4, + ST_TABLE_5, ST_TABLE_6 + } lexstate = ST_NOTSTARTED; + +@@ -2007,6 +2008,10 @@ repeat: + lexstate = ST_ASM; + count = 0; + goto repeat; ++ case TYPEOF_KEYW: ++ lexstate = ST_TYPEOF; ++ count = 0; ++ goto repeat; + + case STRUCT_KEYW: + case UNION_KEYW: +@@ -2093,6 +2098,48 @@ repeat: + } + break; + ++ case ST_TYPEOF: ++ switch (token) ++ { ++ case '(': ++ if ( ++count == 1 ) ++ lexstate = ST_TYPEOF_1; ++ else ++ APP; ++ goto repeat; ++ case ')': ++ APP; ++ if (--count == 0) ++ { ++ lexstate = ST_NORMAL; ++ token = TYPEOF_PHRASE; ++ break; ++ } ++ goto repeat; ++ default: ++ APP; ++ goto repeat; ++ } ++ break; ++ ++ case ST_TYPEOF_1: ++ if (token == IDENT) ++ { ++ if (is_reserved_word(yytext, yyleng) ++ || find_symbol(yytext, SYM_TYPEDEF, 1)) ++ { ++ yyless(0); ++ unput('('); ++ lexstate = ST_NORMAL; ++ token = TYPEOF_KEYW; ++ break; ++ } ++ _APP("(", 1); ++ } ++ APP; ++ lexstate = ST_TYPEOF; ++ goto repeat; ++ + case ST_BRACKET: + APP; + switch (token) +diff --git a/scripts/genksyms/parse.tab.c_shipped b/scripts/genksyms/parse.tab.c_shipped +index ece53c7..c9f0f0ce 100644 +--- a/scripts/genksyms/parse.tab.c_shipped ++++ b/scripts/genksyms/parse.tab.c_shipped +@@ -1,8 +1,8 @@ +-/* A Bison parser, made by GNU Bison 2.5. */ ++/* A Bison parser, made by GNU Bison 2.5.1. */ + + /* Bison implementation for Yacc-like parsers in C + +- Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc. ++ Copyright (C) 1984, 1989-1990, 2000-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -44,7 +44,7 @@ + #define YYBISON 1 + + /* Bison version. */ +-#define YYBISON_VERSION "2.5" ++#define YYBISON_VERSION "2.5.1" + + /* Skeleton name. */ + #define YYSKELETON_NAME "yacc.c" +@@ -117,6 +117,14 @@ static void record_compound(struct string_list **keyw, + + + ++# ifndef YY_NULL ++# if defined __cplusplus && 201103L <= __cplusplus ++# define YY_NULL nullptr ++# else ++# define YY_NULL 0 ++# endif ++# endif ++ + /* Enabling traces. */ + #ifndef YYDEBUG + # define YYDEBUG 1 +@@ -171,18 +179,19 @@ static void record_compound(struct string_list **keyw, + EXPORT_SYMBOL_KEYW = 284, + ASM_PHRASE = 285, + ATTRIBUTE_PHRASE = 286, +- BRACE_PHRASE = 287, +- BRACKET_PHRASE = 288, +- EXPRESSION_PHRASE = 289, +- CHAR = 290, +- DOTS = 291, +- IDENT = 292, +- INT = 293, +- REAL = 294, +- STRING = 295, +- TYPE = 296, +- OTHER = 297, +- FILENAME = 298 ++ TYPEOF_PHRASE = 287, ++ BRACE_PHRASE = 288, ++ BRACKET_PHRASE = 289, ++ EXPRESSION_PHRASE = 290, ++ CHAR = 291, ++ DOTS = 292, ++ IDENT = 293, ++ INT = 294, ++ REAL = 295, ++ STRING = 296, ++ TYPE = 297, ++ OTHER = 298, ++ FILENAME = 299 + }; + #endif + +@@ -304,6 +313,7 @@ YYID (yyi) + # if ! defined _ALLOCA_H && ! defined EXIT_SUCCESS && (defined __STDC__ || defined __C99__FUNC__ \ + || defined __cplusplus || defined _MSC_VER) + # include <stdlib.h> /* INFRINGES ON USER NAME SPACE */ ++ /* Use EXIT_SUCCESS as a witness for stdlib.h. */ + # ifndef EXIT_SUCCESS + # define EXIT_SUCCESS 0 + # endif +@@ -395,20 +405,20 @@ union yyalloc + #endif + + #if defined YYCOPY_NEEDED && YYCOPY_NEEDED +-/* Copy COUNT objects from FROM to TO. The source and destination do ++/* Copy COUNT objects from SRC to DST. The source and destination do + not overlap. */ + # ifndef YYCOPY + # if defined __GNUC__ && 1 < __GNUC__ +-# define YYCOPY(To, From, Count) \ +- __builtin_memcpy (To, From, (Count) * sizeof (*(From))) ++# define YYCOPY(Dst, Src, Count) \ ++ __builtin_memcpy (Dst, Src, (Count) * sizeof (*(Src))) + # else +-# define YYCOPY(To, From, Count) \ +- do \ +- { \ +- YYSIZE_T yyi; \ +- for (yyi = 0; yyi < (Count); yyi++) \ +- (To)[yyi] = (From)[yyi]; \ +- } \ ++# define YYCOPY(Dst, Src, Count) \ ++ do \ ++ { \ ++ YYSIZE_T yyi; \ ++ for (yyi = 0; yyi < (Count); yyi++) \ ++ (Dst)[yyi] = (Src)[yyi]; \ ++ } \ + while (YYID (0)) + # endif + # endif +@@ -417,20 +427,20 @@ union yyalloc + /* YYFINAL -- State number of the termination state. */ + #define YYFINAL 4 + /* YYLAST -- Last index in YYTABLE. */ +-#define YYLAST 532 ++#define YYLAST 514 + + /* YYNTOKENS -- Number of terminals. */ +-#define YYNTOKENS 53 ++#define YYNTOKENS 54 + /* YYNNTS -- Number of nonterminals. */ + #define YYNNTS 49 + /* YYNRULES -- Number of rules. */ + #define YYNRULES 132 + /* YYNRULES -- Number of states. */ +-#define YYNSTATES 188 ++#define YYNSTATES 187 + + /* YYTRANSLATE(YYLEX) -- Bison symbol number corresponding to YYLEX. */ + #define YYUNDEFTOK 2 +-#define YYMAXUTOK 298 ++#define YYMAXUTOK 299 + + #define YYTRANSLATE(YYX) \ + ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK) +@@ -442,15 +452,15 @@ static const yytype_uint8 yytranslate[] = + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, +- 47, 49, 48, 2, 46, 2, 2, 2, 2, 2, +- 2, 2, 2, 2, 2, 2, 2, 2, 52, 44, +- 2, 50, 2, 2, 2, 2, 2, 2, 2, 2, ++ 48, 49, 50, 2, 47, 2, 2, 2, 2, 2, ++ 2, 2, 2, 2, 2, 2, 2, 2, 53, 45, ++ 2, 51, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, +- 2, 2, 2, 51, 2, 45, 2, 2, 2, 2, ++ 2, 2, 2, 52, 2, 46, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, +@@ -467,7 +477,7 @@ static const yytype_uint8 yytranslate[] = + 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, + 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, + 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, +- 35, 36, 37, 38, 39, 40, 41, 42, 43 ++ 35, 36, 37, 38, 39, 40, 41, 42, 43, 44 + }; + + #if YYDEBUG +@@ -478,78 +488,77 @@ static const yytype_uint16 yyprhs[] = + 0, 0, 3, 5, 8, 9, 12, 13, 18, 19, + 23, 25, 27, 29, 31, 34, 37, 41, 42, 44, + 46, 50, 55, 56, 58, 60, 63, 65, 67, 69, +- 71, 73, 75, 77, 79, 81, 87, 92, 95, 98, +- 101, 105, 109, 113, 116, 119, 122, 124, 126, 128, +- 130, 132, 134, 136, 138, 140, 142, 144, 147, 148, +- 150, 152, 155, 157, 159, 161, 163, 166, 168, 170, +- 175, 180, 183, 187, 191, 194, 196, 198, 200, 205, +- 210, 213, 217, 221, 224, 226, 230, 231, 233, 235, +- 239, 242, 245, 247, 248, 250, 252, 257, 262, 265, +- 269, 273, 277, 278, 280, 283, 287, 291, 292, 294, +- 296, 299, 303, 306, 307, 309, 311, 315, 318, 321, +- 323, 326, 327, 330, 334, 339, 341, 345, 347, 351, +- 354, 355, 357 ++ 71, 73, 75, 77, 79, 81, 86, 88, 91, 94, ++ 97, 101, 105, 109, 112, 115, 118, 120, 122, 124, ++ 126, 128, 130, 132, 134, 136, 138, 140, 143, 144, ++ 146, 148, 151, 153, 155, 157, 159, 162, 164, 166, ++ 171, 176, 179, 183, 187, 190, 192, 194, 196, 201, ++ 206, 209, 213, 217, 220, 222, 226, 227, 229, 231, ++ 235, 238, 241, 243, 244, 246, 248, 253, 258, 261, ++ 265, 269, 273, 274, 276, 279, 283, 287, 288, 290, ++ 292, 295, 299, 302, 303, 305, 307, 311, 314, 317, ++ 319, 322, 323, 326, 330, 335, 337, 341, 343, 347, ++ 350, 351, 353 + }; + + /* YYRHS -- A `-1'-separated list of the rules' RHS. */ + static const yytype_int8 yyrhs[] = + { +- 54, 0, -1, 55, -1, 54, 55, -1, -1, 56, +- 57, -1, -1, 12, 23, 58, 60, -1, -1, 23, +- 59, 60, -1, 60, -1, 84, -1, 99, -1, 101, +- -1, 1, 44, -1, 1, 45, -1, 64, 61, 44, +- -1, -1, 62, -1, 63, -1, 62, 46, 63, -1, +- 74, 100, 95, 85, -1, -1, 65, -1, 66, -1, +- 65, 66, -1, 67, -1, 68, -1, 5, -1, 17, +- -1, 21, -1, 11, -1, 14, -1, 69, -1, 73, +- -1, 28, 47, 65, 48, 49, -1, 28, 47, 65, +- 49, -1, 22, 37, -1, 24, 37, -1, 10, 37, +- -1, 22, 37, 87, -1, 24, 37, 87, -1, 10, +- 37, 96, -1, 10, 96, -1, 22, 87, -1, 24, +- 87, -1, 7, -1, 19, -1, 15, -1, 16, -1, +- 20, -1, 25, -1, 13, -1, 9, -1, 26, -1, +- 6, -1, 41, -1, 48, 71, -1, -1, 72, -1, +- 73, -1, 72, 73, -1, 8, -1, 27, -1, 31, +- -1, 18, -1, 70, 74, -1, 75, -1, 37, -1, +- 75, 47, 78, 49, -1, 75, 47, 1, 49, -1, +- 75, 33, -1, 47, 74, 49, -1, 47, 1, 49, +- -1, 70, 76, -1, 77, -1, 37, -1, 41, -1, +- 77, 47, 78, 49, -1, 77, 47, 1, 49, -1, +- 77, 33, -1, 47, 76, 49, -1, 47, 1, 49, +- -1, 79, 36, -1, 79, -1, 80, 46, 36, -1, +- -1, 80, -1, 81, -1, 80, 46, 81, -1, 65, +- 82, -1, 70, 82, -1, 83, -1, -1, 37, -1, +- 41, -1, 83, 47, 78, 49, -1, 83, 47, 1, +- 49, -1, 83, 33, -1, 47, 82, 49, -1, 47, +- 1, 49, -1, 64, 74, 32, -1, -1, 86, -1, +- 50, 34, -1, 51, 88, 45, -1, 51, 1, 45, +- -1, -1, 89, -1, 90, -1, 89, 90, -1, 64, +- 91, 44, -1, 1, 44, -1, -1, 92, -1, 93, +- -1, 92, 46, 93, -1, 76, 95, -1, 37, 94, +- -1, 94, -1, 52, 34, -1, -1, 95, 31, -1, +- 51, 97, 45, -1, 51, 97, 46, 45, -1, 98, +- -1, 97, 46, 98, -1, 37, -1, 37, 50, 34, +- -1, 30, 44, -1, -1, 30, -1, 29, 47, 37, +- 49, 44, -1 ++ 55, 0, -1, 56, -1, 55, 56, -1, -1, 57, ++ 58, -1, -1, 12, 23, 59, 61, -1, -1, 23, ++ 60, 61, -1, 61, -1, 85, -1, 100, -1, 102, ++ -1, 1, 45, -1, 1, 46, -1, 65, 62, 45, ++ -1, -1, 63, -1, 64, -1, 63, 47, 64, -1, ++ 75, 101, 96, 86, -1, -1, 66, -1, 67, -1, ++ 66, 67, -1, 68, -1, 69, -1, 5, -1, 17, ++ -1, 21, -1, 11, -1, 14, -1, 70, -1, 74, ++ -1, 28, 48, 82, 49, -1, 32, -1, 22, 38, ++ -1, 24, 38, -1, 10, 38, -1, 22, 38, 88, ++ -1, 24, 38, 88, -1, 10, 38, 97, -1, 10, ++ 97, -1, 22, 88, -1, 24, 88, -1, 7, -1, ++ 19, -1, 15, -1, 16, -1, 20, -1, 25, -1, ++ 13, -1, 9, -1, 26, -1, 6, -1, 42, -1, ++ 50, 72, -1, -1, 73, -1, 74, -1, 73, 74, ++ -1, 8, -1, 27, -1, 31, -1, 18, -1, 71, ++ 75, -1, 76, -1, 38, -1, 76, 48, 79, 49, ++ -1, 76, 48, 1, 49, -1, 76, 34, -1, 48, ++ 75, 49, -1, 48, 1, 49, -1, 71, 77, -1, ++ 78, -1, 38, -1, 42, -1, 78, 48, 79, 49, ++ -1, 78, 48, 1, 49, -1, 78, 34, -1, 48, ++ 77, 49, -1, 48, 1, 49, -1, 80, 37, -1, ++ 80, -1, 81, 47, 37, -1, -1, 81, -1, 82, ++ -1, 81, 47, 82, -1, 66, 83, -1, 71, 83, ++ -1, 84, -1, -1, 38, -1, 42, -1, 84, 48, ++ 79, 49, -1, 84, 48, 1, 49, -1, 84, 34, ++ -1, 48, 83, 49, -1, 48, 1, 49, -1, 65, ++ 75, 33, -1, -1, 87, -1, 51, 35, -1, 52, ++ 89, 46, -1, 52, 1, 46, -1, -1, 90, -1, ++ 91, -1, 90, 91, -1, 65, 92, 45, -1, 1, ++ 45, -1, -1, 93, -1, 94, -1, 93, 47, 94, ++ -1, 77, 96, -1, 38, 95, -1, 95, -1, 53, ++ 35, -1, -1, 96, 31, -1, 52, 98, 46, -1, ++ 52, 98, 47, 46, -1, 99, -1, 98, 47, 99, ++ -1, 38, -1, 38, 51, 35, -1, 30, 45, -1, ++ -1, 30, -1, 29, 48, 38, 49, 45, -1 + }; + + /* YYRLINE[YYN] -- source line where rule number YYN was defined. */ + static const yytype_uint16 yyrline[] = + { +- 0, 123, 123, 124, 128, 128, 134, 134, 136, 136, +- 138, 139, 140, 141, 142, 143, 147, 161, 162, 166, +- 174, 187, 193, 194, 198, 199, 203, 209, 213, 214, +- 215, 216, 217, 221, 222, 223, 224, 228, 230, 232, +- 236, 238, 240, 245, 248, 249, 253, 254, 255, 256, +- 257, 258, 259, 260, 261, 262, 263, 267, 272, 273, +- 277, 278, 282, 282, 282, 283, 291, 292, 296, 305, +- 307, 309, 311, 313, 320, 321, 325, 326, 327, 329, +- 331, 333, 335, 340, 341, 342, 346, 347, 351, 352, +- 357, 362, 364, 368, 369, 377, 381, 383, 385, 387, +- 389, 394, 403, 404, 409, 414, 415, 419, 420, 424, +- 425, 429, 431, 436, 437, 441, 442, 446, 447, 448, +- 452, 456, 457, 461, 462, 466, 467, 470, 475, 483, +- 487, 488, 492 ++ 0, 124, 124, 125, 129, 129, 135, 135, 137, 137, ++ 139, 140, 141, 142, 143, 144, 148, 162, 163, 167, ++ 175, 188, 194, 195, 199, 200, 204, 210, 214, 215, ++ 216, 217, 218, 222, 223, 224, 225, 229, 231, 233, ++ 237, 239, 241, 246, 249, 250, 254, 255, 256, 257, ++ 258, 259, 260, 261, 262, 263, 264, 268, 273, 274, ++ 278, 279, 283, 283, 283, 284, 292, 293, 297, 306, ++ 308, 310, 312, 314, 321, 322, 326, 327, 328, 330, ++ 332, 334, 336, 341, 342, 343, 347, 348, 352, 353, ++ 358, 363, 365, 369, 370, 378, 382, 384, 386, 388, ++ 390, 395, 404, 405, 410, 415, 416, 420, 421, 425, ++ 426, 430, 432, 437, 438, 442, 443, 447, 448, 449, ++ 453, 457, 458, 462, 463, 467, 468, 471, 476, 484, ++ 488, 489, 493 + }; + #endif + +@@ -565,9 +574,9 @@ static const char *const yytname[] = + "SHORT_KEYW", "SIGNED_KEYW", "STATIC_KEYW", "STRUCT_KEYW", + "TYPEDEF_KEYW", "UNION_KEYW", "UNSIGNED_KEYW", "VOID_KEYW", + "VOLATILE_KEYW", "TYPEOF_KEYW", "EXPORT_SYMBOL_KEYW", "ASM_PHRASE", +- "ATTRIBUTE_PHRASE", "BRACE_PHRASE", "BRACKET_PHRASE", ++ "ATTRIBUTE_PHRASE", "TYPEOF_PHRASE", "BRACE_PHRASE", "BRACKET_PHRASE", + "EXPRESSION_PHRASE", "CHAR", "DOTS", "IDENT", "INT", "REAL", "STRING", +- "TYPE", "OTHER", "FILENAME", "';'", "'}'", "','", "'('", "'*'", "')'", ++ "TYPE", "OTHER", "FILENAME", "';'", "'}'", "','", "'('", "')'", "'*'", + "'='", "'{'", "':'", "$accept", "declaration_seq", "declaration", "$@1", + "declaration1", "$@2", "$@3", "simple_declaration", + "init_declarator_list_opt", "init_declarator_list", "init_declarator", +@@ -584,7 +593,7 @@ static const char *const yytname[] = + "member_declarator_list_opt", "member_declarator_list", + "member_declarator", "member_bitfield_declarator", "attribute_opt", + "enum_body", "enumerator_list", "enumerator", "asm_definition", +- "asm_phrase_opt", "export_definition", 0 ++ "asm_phrase_opt", "export_definition", YY_NULL + }; + #endif + +@@ -597,28 +606,28 @@ static const yytype_uint16 yytoknum[] = + 265, 266, 267, 268, 269, 270, 271, 272, 273, 274, + 275, 276, 277, 278, 279, 280, 281, 282, 283, 284, + 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, +- 295, 296, 297, 298, 59, 125, 44, 40, 42, 41, +- 61, 123, 58 ++ 295, 296, 297, 298, 299, 59, 125, 44, 40, 41, ++ 42, 61, 123, 58 + }; + # endif + + /* YYR1[YYN] -- Symbol number of symbol that rule YYN derives. */ + static const yytype_uint8 yyr1[] = + { +- 0, 53, 54, 54, 56, 55, 58, 57, 59, 57, +- 57, 57, 57, 57, 57, 57, 60, 61, 61, 62, +- 62, 63, 64, 64, 65, 65, 66, 66, 67, 67, +- 67, 67, 67, 68, 68, 68, 68, 68, 68, 68, +- 68, 68, 68, 68, 68, 68, 69, 69, 69, 69, +- 69, 69, 69, 69, 69, 69, 69, 70, 71, 71, +- 72, 72, 73, 73, 73, 73, 74, 74, 75, 75, +- 75, 75, 75, 75, 76, 76, 77, 77, 77, 77, +- 77, 77, 77, 78, 78, 78, 79, 79, 80, 80, +- 81, 82, 82, 83, 83, 83, 83, 83, 83, 83, +- 83, 84, 85, 85, 86, 87, 87, 88, 88, 89, +- 89, 90, 90, 91, 91, 92, 92, 93, 93, 93, +- 94, 95, 95, 96, 96, 97, 97, 98, 98, 99, +- 100, 100, 101 ++ 0, 54, 55, 55, 57, 56, 59, 58, 60, 58, ++ 58, 58, 58, 58, 58, 58, 61, 62, 62, 63, ++ 63, 64, 65, 65, 66, 66, 67, 67, 68, 68, ++ 68, 68, 68, 69, 69, 69, 69, 69, 69, 69, ++ 69, 69, 69, 69, 69, 69, 70, 70, 70, 70, ++ 70, 70, 70, 70, 70, 70, 70, 71, 72, 72, ++ 73, 73, 74, 74, 74, 74, 75, 75, 76, 76, ++ 76, 76, 76, 76, 77, 77, 78, 78, 78, 78, ++ 78, 78, 78, 79, 79, 79, 80, 80, 81, 81, ++ 82, 83, 83, 84, 84, 84, 84, 84, 84, 84, ++ 84, 85, 86, 86, 87, 88, 88, 89, 89, 90, ++ 90, 91, 91, 92, 92, 93, 93, 94, 94, 94, ++ 95, 96, 96, 97, 97, 98, 98, 99, 99, 100, ++ 101, 101, 102 + }; + + /* YYR2[YYN] -- Number of symbols composing right hand side of rule YYN. */ +@@ -627,7 +636,7 @@ static const yytype_uint8 yyr2[] = + 0, 2, 1, 2, 0, 2, 0, 4, 0, 3, + 1, 1, 1, 1, 2, 2, 3, 0, 1, 1, + 3, 4, 0, 1, 1, 2, 1, 1, 1, 1, +- 1, 1, 1, 1, 1, 5, 4, 2, 2, 2, ++ 1, 1, 1, 1, 1, 4, 1, 2, 2, 2, + 3, 3, 3, 2, 2, 2, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 2, 0, 1, + 1, 2, 1, 1, 1, 1, 2, 1, 1, 4, +@@ -648,68 +657,68 @@ static const yytype_uint8 yydefact[] = + 4, 4, 2, 0, 1, 3, 0, 28, 55, 46, + 62, 53, 0, 31, 0, 52, 32, 48, 49, 29, + 65, 47, 50, 30, 0, 8, 0, 51, 54, 63, +- 0, 0, 0, 64, 56, 5, 10, 17, 23, 24, +- 26, 27, 33, 34, 11, 12, 13, 14, 15, 39, +- 0, 43, 6, 37, 0, 44, 22, 38, 45, 0, +- 0, 129, 68, 0, 58, 0, 18, 19, 0, 130, +- 67, 25, 42, 127, 0, 125, 22, 40, 0, 113, +- 0, 0, 109, 9, 17, 41, 0, 0, 0, 0, +- 57, 59, 60, 16, 0, 66, 131, 101, 121, 71, +- 0, 0, 123, 0, 7, 112, 106, 76, 77, 0, +- 0, 0, 121, 75, 0, 114, 115, 119, 105, 0, +- 110, 130, 0, 36, 0, 73, 72, 61, 20, 102, +- 0, 93, 0, 84, 87, 88, 128, 124, 126, 118, +- 0, 76, 0, 120, 74, 117, 80, 0, 111, 0, +- 35, 132, 122, 0, 21, 103, 70, 94, 56, 0, +- 93, 90, 92, 69, 83, 0, 82, 81, 0, 0, +- 116, 104, 0, 95, 0, 91, 98, 0, 85, 89, +- 79, 78, 100, 99, 0, 0, 97, 96 ++ 0, 0, 0, 64, 36, 56, 5, 10, 17, 23, ++ 24, 26, 27, 33, 34, 11, 12, 13, 14, 15, ++ 39, 0, 43, 6, 37, 0, 44, 22, 38, 45, ++ 0, 0, 129, 68, 0, 58, 0, 18, 19, 0, ++ 130, 67, 25, 42, 127, 0, 125, 22, 40, 0, ++ 113, 0, 0, 109, 9, 17, 41, 93, 0, 0, ++ 0, 0, 57, 59, 60, 16, 0, 66, 131, 101, ++ 121, 71, 0, 0, 123, 0, 7, 112, 106, 76, ++ 77, 0, 0, 0, 121, 75, 0, 114, 115, 119, ++ 105, 0, 110, 130, 94, 56, 0, 93, 90, 92, ++ 35, 0, 73, 72, 61, 20, 102, 0, 0, 84, ++ 87, 88, 128, 124, 126, 118, 0, 76, 0, 120, ++ 74, 117, 80, 0, 111, 0, 0, 95, 0, 91, ++ 98, 0, 132, 122, 0, 21, 103, 70, 69, 83, ++ 0, 82, 81, 0, 0, 116, 100, 99, 0, 0, ++ 104, 85, 89, 79, 78, 97, 96 + }; + + /* YYDEFGOTO[NTERM-NUM]. */ + static const yytype_int16 yydefgoto[] = + { +- -1, 1, 2, 3, 35, 76, 56, 36, 65, 66, +- 67, 79, 38, 39, 40, 41, 42, 68, 90, 91, +- 43, 121, 70, 112, 113, 132, 133, 134, 135, 161, +- 162, 44, 154, 155, 55, 80, 81, 82, 114, 115, +- 116, 117, 129, 51, 74, 75, 45, 98, 46 ++ -1, 1, 2, 3, 36, 77, 57, 37, 66, 67, ++ 68, 80, 39, 40, 41, 42, 43, 69, 92, 93, ++ 44, 123, 71, 114, 115, 138, 139, 140, 141, 128, ++ 129, 45, 165, 166, 56, 81, 82, 83, 116, 117, ++ 118, 119, 136, 52, 75, 76, 46, 100, 47 + }; + + /* YYPACT[STATE-NUM] -- Index in YYTABLE of the portion describing + STATE-NUM. */ +-#define YYPACT_NINF -135 ++#define YYPACT_NINF -140 + static const yytype_int16 yypact[] = + { +- -135, 20, -135, 321, -135, -135, 30, -135, -135, -135, +- -135, -135, -28, -135, 2, -135, -135, -135, -135, -135, +- -135, -135, -135, -135, -6, -135, 9, -135, -135, -135, +- -5, 15, -17, -135, -135, -135, -135, 18, 491, -135, +- -135, -135, -135, -135, -135, -135, -135, -135, -135, -22, +- 31, -135, -135, 19, 106, -135, 491, 19, -135, 491, +- 50, -135, -135, 11, -3, 51, 57, -135, 18, -14, +- 14, -135, -135, 48, 46, -135, 491, -135, 33, 32, +- 59, 154, -135, -135, 18, -135, 365, 56, 60, 61, +- -135, -3, -135, -135, 18, -135, -135, -135, -135, -135, +- 202, 74, -135, -23, -135, -135, -135, 77, -135, 16, +- 101, 49, -135, 34, 92, 93, -135, -135, -135, 94, +- -135, 110, 95, -135, 97, -135, -135, -135, -135, -20, +- 96, 410, 99, 113, 100, -135, -135, -135, -135, -135, +- 103, -135, 107, -135, -135, 111, -135, 239, -135, 32, +- -135, -135, -135, 123, -135, -135, -135, -135, -135, 3, +- 52, -135, 38, -135, -135, 454, -135, -135, 117, 128, +- -135, -135, 134, -135, 135, -135, -135, 276, -135, -135, +- -135, -135, -135, -135, 137, 138, -135, -135 ++ -140, 29, -140, 207, -140, -140, 40, -140, -140, -140, ++ -140, -140, -27, -140, 44, -140, -140, -140, -140, -140, ++ -140, -140, -140, -140, -22, -140, -18, -140, -140, -140, ++ -9, 22, 28, -140, -140, -140, -140, -140, 42, 472, ++ -140, -140, -140, -140, -140, -140, -140, -140, -140, -140, ++ 46, 43, -140, -140, 47, 107, -140, 472, 47, -140, ++ 472, 62, -140, -140, 16, -3, 57, 56, -140, 42, ++ 35, -11, -140, -140, 53, 48, -140, 472, -140, 51, ++ 21, 59, 157, -140, -140, 42, -140, 388, 58, 60, ++ 70, 81, -140, -3, -140, -140, 42, -140, -140, -140, ++ -140, -140, 253, 71, -140, -20, -140, -140, -140, 83, ++ -140, 5, 102, 34, -140, 12, 95, 94, -140, -140, ++ -140, 97, -140, 113, -140, -140, 2, 41, -140, 27, ++ -140, 99, -140, -140, -140, -140, -24, 98, 101, 109, ++ 104, -140, -140, -140, -140, -140, 105, -140, 110, -140, ++ -140, 117, -140, 298, -140, 21, 112, -140, 120, -140, ++ -140, 343, -140, -140, 121, -140, -140, -140, -140, -140, ++ 434, -140, -140, 131, 137, -140, -140, -140, 138, 141, ++ -140, -140, -140, -140, -140, -140, -140 + }; + + /* YYPGOTO[NTERM-NUM]. */ + static const yytype_int16 yypgoto[] = + { +- -135, -135, 187, -135, -135, -135, -135, -50, -135, -135, +- 98, 0, -59, -37, -135, -135, -135, -77, -135, -135, +- -54, -30, -135, -90, -135, -134, -135, -135, 24, -58, +- -135, -135, -135, -135, -18, -135, -135, 109, -135, -135, +- 44, 87, 84, 148, -135, 102, -135, -135, -135 ++ -140, -140, 190, -140, -140, -140, -140, -45, -140, -140, ++ 96, 1, -60, -31, -140, -140, -140, -78, -140, -140, ++ -55, -7, -140, -92, -140, -139, -140, -140, -59, -39, ++ -140, -140, -140, -140, -13, -140, -140, 111, -140, -140, ++ 39, 87, 84, 147, -140, 106, -140, -140, -140 + }; + + /* YYTABLE[YYPACT[STATE-NUM]]. What to do in state STATE-NUM. If +@@ -718,149 +727,145 @@ static const yytype_int16 yypgoto[] = + #define YYTABLE_NINF -109 + static const yytype_int16 yytable[] = + { +- 86, 71, 111, 37, 172, 10, 83, 69, 58, 49, +- 92, 152, 88, 169, 73, 20, 96, 140, 97, 142, +- 4, 144, 137, 50, 29, 52, 104, 61, 33, 50, +- 153, 53, 111, 89, 111, 77, -93, 127, 95, 85, +- 157, 131, 59, 185, 173, 54, 57, 99, 62, 71, +- 159, 64, -93, 141, 160, 62, 84, 108, 63, 64, +- 54, 100, 60, 109, 64, 63, 64, 146, 73, 107, +- 54, 176, 111, 108, 47, 48, 84, 105, 106, 109, +- 64, 147, 160, 160, 110, 177, 141, 87, 131, 157, +- 108, 102, 103, 173, 71, 93, 109, 64, 101, 159, +- 64, 174, 175, 94, 118, 124, 131, 78, 136, 125, +- 126, 7, 8, 9, 10, 11, 12, 13, 131, 15, +- 16, 17, 18, 19, 20, 21, 22, 23, 24, 110, +- 26, 27, 28, 29, 30, 143, 148, 33, 105, 149, +- 96, 151, 152, -22, 150, 156, 165, 34, 163, 164, +- -22, -107, 166, -22, -22, 119, 167, 171, -22, 7, +- 8, 9, 10, 11, 12, 13, 180, 15, 16, 17, +- 18, 19, 20, 21, 22, 23, 24, 181, 26, 27, +- 28, 29, 30, 182, 183, 33, 186, 187, 5, 179, +- 120, -22, 128, 170, 139, 34, 145, 72, -22, -108, +- 0, -22, -22, 130, 0, 138, -22, 7, 8, 9, +- 10, 11, 12, 13, 0, 15, 16, 17, 18, 19, +- 20, 21, 22, 23, 24, 0, 26, 27, 28, 29, +- 30, 0, 0, 33, 0, 0, 0, 0, -86, 0, +- 168, 0, 0, 34, 7, 8, 9, 10, 11, 12, +- 13, -86, 15, 16, 17, 18, 19, 20, 21, 22, +- 23, 24, 0, 26, 27, 28, 29, 30, 0, 0, +- 33, 0, 0, 0, 0, -86, 0, 184, 0, 0, +- 34, 7, 8, 9, 10, 11, 12, 13, -86, 15, +- 16, 17, 18, 19, 20, 21, 22, 23, 24, 0, +- 26, 27, 28, 29, 30, 0, 0, 33, 0, 0, +- 0, 0, -86, 0, 0, 0, 0, 34, 0, 0, +- 0, 0, 6, 0, 0, -86, 7, 8, 9, 10, +- 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, +- 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, +- 31, 32, 33, 0, 0, 0, 0, 0, -22, 0, +- 0, 0, 34, 0, 0, -22, 0, 0, -22, -22, +- 7, 8, 9, 10, 11, 12, 13, 0, 15, 16, +- 17, 18, 19, 20, 21, 22, 23, 24, 0, 26, +- 27, 28, 29, 30, 0, 0, 33, 0, 0, 0, +- 0, 0, 0, 0, 0, 0, 34, 0, 0, 0, +- 0, 0, 0, 122, 123, 7, 8, 9, 10, 11, +- 12, 13, 0, 15, 16, 17, 18, 19, 20, 21, +- 22, 23, 24, 0, 26, 27, 28, 29, 30, 0, +- 0, 33, 0, 0, 0, 0, 0, 157, 0, 0, +- 0, 158, 0, 0, 0, 0, 0, 159, 64, 7, ++ 87, 88, 113, 156, 38, 10, 146, 163, 72, 127, ++ 94, 50, 84, 59, 174, 20, 54, 90, 74, 148, ++ 58, 150, 179, 101, 29, 51, 143, 164, 33, 4, ++ 55, 70, 106, 113, 55, 113, -93, 102, 134, 60, ++ 124, 78, 87, 147, 157, 86, 152, 110, 127, 127, ++ 126, -93, 65, 111, 63, 65, 72, 91, 85, 109, ++ 153, 160, 97, 110, 64, 98, 65, 53, 99, 111, ++ 61, 65, 147, 62, 112, 161, 110, 113, 85, 124, ++ 63, 74, 111, 157, 65, 48, 49, 158, 159, 126, ++ 64, 65, 65, 87, 104, 105, 107, 108, 51, 55, ++ 89, 87, 95, 96, 103, 120, 142, 130, 79, 131, ++ 87, 182, 7, 8, 9, 10, 11, 12, 13, 132, ++ 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, ++ 133, 26, 27, 28, 29, 30, 112, 149, 33, 34, ++ 154, 155, 107, 98, 162, -22, 169, 167, 163, 35, ++ 168, 170, -22, -107, 171, -22, 180, -22, 121, 172, ++ -22, 176, 7, 8, 9, 10, 11, 12, 13, 177, ++ 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, ++ 183, 26, 27, 28, 29, 30, 184, 185, 33, 34, ++ 186, 5, 135, 122, 175, -22, 145, 73, 151, 35, ++ 0, 0, -22, -108, 0, -22, 0, -22, 6, 0, ++ -22, 144, 7, 8, 9, 10, 11, 12, 13, 14, ++ 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, ++ 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, ++ 0, 0, 0, 0, 0, -22, 0, 0, 0, 35, ++ 0, 0, -22, 0, 137, -22, 0, -22, 7, 8, ++ 9, 10, 11, 12, 13, 0, 15, 16, 17, 18, ++ 19, 20, 21, 22, 23, 24, 0, 26, 27, 28, ++ 29, 30, 0, 0, 33, 34, 0, 0, 0, 0, ++ -86, 0, 0, 0, 0, 35, 0, 0, 0, 173, ++ 0, 0, -86, 7, 8, 9, 10, 11, 12, 13, ++ 0, 15, 16, 17, 18, 19, 20, 21, 22, 23, ++ 24, 0, 26, 27, 28, 29, 30, 0, 0, 33, ++ 34, 0, 0, 0, 0, -86, 0, 0, 0, 0, ++ 35, 0, 0, 0, 178, 0, 0, -86, 7, 8, ++ 9, 10, 11, 12, 13, 0, 15, 16, 17, 18, ++ 19, 20, 21, 22, 23, 24, 0, 26, 27, 28, ++ 29, 30, 0, 0, 33, 34, 0, 0, 0, 0, ++ -86, 0, 0, 0, 0, 35, 0, 0, 0, 0, ++ 0, 0, -86, 7, 8, 9, 10, 11, 12, 13, ++ 0, 15, 16, 17, 18, 19, 20, 21, 22, 23, ++ 24, 0, 26, 27, 28, 29, 30, 0, 0, 33, ++ 34, 0, 0, 0, 0, 0, 124, 0, 0, 0, ++ 125, 0, 0, 0, 0, 0, 126, 0, 65, 7, + 8, 9, 10, 11, 12, 13, 0, 15, 16, 17, + 18, 19, 20, 21, 22, 23, 24, 0, 26, 27, +- 28, 29, 30, 0, 0, 33, 0, 0, 0, 0, +- 178, 0, 0, 0, 0, 34, 7, 8, 9, 10, +- 11, 12, 13, 0, 15, 16, 17, 18, 19, 20, +- 21, 22, 23, 24, 0, 26, 27, 28, 29, 30, +- 0, 0, 33, 0, 0, 0, 0, 0, 0, 0, +- 0, 0, 34 ++ 28, 29, 30, 0, 0, 33, 34, 0, 0, 0, ++ 0, 181, 0, 0, 0, 0, 35, 7, 8, 9, ++ 10, 11, 12, 13, 0, 15, 16, 17, 18, 19, ++ 20, 21, 22, 23, 24, 0, 26, 27, 28, 29, ++ 30, 0, 0, 33, 34, 0, 0, 0, 0, 0, ++ 0, 0, 0, 0, 35 + }; + + #define yypact_value_is_default(yystate) \ +- ((yystate) == (-135)) ++ ((yystate) == (-140)) + + #define yytable_value_is_error(yytable_value) \ + YYID (0) + + static const yytype_int16 yycheck[] = + { +- 59, 38, 79, 3, 1, 8, 56, 37, 26, 37, +- 64, 31, 1, 147, 37, 18, 30, 1, 32, 109, +- 0, 111, 45, 51, 27, 23, 76, 44, 31, 51, +- 50, 37, 109, 63, 111, 53, 33, 91, 68, 57, +- 37, 100, 47, 177, 41, 51, 37, 33, 37, 86, +- 47, 48, 49, 37, 131, 37, 56, 41, 47, 48, +- 51, 47, 47, 47, 48, 47, 48, 33, 37, 37, +- 51, 33, 149, 41, 44, 45, 76, 44, 45, 47, +- 48, 47, 159, 160, 52, 47, 37, 37, 147, 37, +- 41, 45, 46, 41, 131, 44, 47, 48, 50, 47, +- 48, 159, 160, 46, 45, 49, 165, 1, 34, 49, +- 49, 5, 6, 7, 8, 9, 10, 11, 177, 13, +- 14, 15, 16, 17, 18, 19, 20, 21, 22, 52, +- 24, 25, 26, 27, 28, 34, 44, 31, 44, 46, +- 30, 44, 31, 37, 49, 49, 46, 41, 49, 36, +- 44, 45, 49, 47, 48, 1, 49, 34, 52, 5, +- 6, 7, 8, 9, 10, 11, 49, 13, 14, 15, +- 16, 17, 18, 19, 20, 21, 22, 49, 24, 25, +- 26, 27, 28, 49, 49, 31, 49, 49, 1, 165, +- 81, 37, 94, 149, 107, 41, 112, 49, 44, 45, +- -1, 47, 48, 1, -1, 103, 52, 5, 6, 7, +- 8, 9, 10, 11, -1, 13, 14, 15, 16, 17, +- 18, 19, 20, 21, 22, -1, 24, 25, 26, 27, +- 28, -1, -1, 31, -1, -1, -1, -1, 36, -1, +- 1, -1, -1, 41, 5, 6, 7, 8, 9, 10, +- 11, 49, 13, 14, 15, 16, 17, 18, 19, 20, +- 21, 22, -1, 24, 25, 26, 27, 28, -1, -1, +- 31, -1, -1, -1, -1, 36, -1, 1, -1, -1, +- 41, 5, 6, 7, 8, 9, 10, 11, 49, 13, +- 14, 15, 16, 17, 18, 19, 20, 21, 22, -1, +- 24, 25, 26, 27, 28, -1, -1, 31, -1, -1, +- -1, -1, 36, -1, -1, -1, -1, 41, -1, -1, +- -1, -1, 1, -1, -1, 49, 5, 6, 7, 8, +- 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, +- 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, +- 29, 30, 31, -1, -1, -1, -1, -1, 37, -1, +- -1, -1, 41, -1, -1, 44, -1, -1, 47, 48, +- 5, 6, 7, 8, 9, 10, 11, -1, 13, 14, +- 15, 16, 17, 18, 19, 20, 21, 22, -1, 24, +- 25, 26, 27, 28, -1, -1, 31, -1, -1, -1, +- -1, -1, -1, -1, -1, -1, 41, -1, -1, -1, +- -1, -1, -1, 48, 49, 5, 6, 7, 8, 9, +- 10, 11, -1, 13, 14, 15, 16, 17, 18, 19, +- 20, 21, 22, -1, 24, 25, 26, 27, 28, -1, +- -1, 31, -1, -1, -1, -1, -1, 37, -1, -1, +- -1, 41, -1, -1, -1, -1, -1, 47, 48, 5, ++ 60, 60, 80, 1, 3, 8, 1, 31, 39, 87, ++ 65, 38, 57, 26, 153, 18, 38, 1, 38, 111, ++ 38, 113, 161, 34, 27, 52, 46, 51, 31, 0, ++ 52, 38, 77, 111, 52, 113, 34, 48, 93, 48, ++ 38, 54, 102, 38, 42, 58, 34, 42, 126, 127, ++ 48, 49, 50, 48, 38, 50, 87, 64, 57, 38, ++ 48, 34, 69, 42, 48, 30, 50, 23, 33, 48, ++ 48, 50, 38, 45, 53, 48, 42, 155, 77, 38, ++ 38, 38, 48, 42, 50, 45, 46, 126, 127, 48, ++ 48, 50, 50, 153, 46, 47, 45, 46, 52, 52, ++ 38, 161, 45, 47, 51, 46, 35, 49, 1, 49, ++ 170, 170, 5, 6, 7, 8, 9, 10, 11, 49, ++ 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, ++ 49, 24, 25, 26, 27, 28, 53, 35, 31, 32, ++ 45, 47, 45, 30, 45, 38, 37, 49, 31, 42, ++ 49, 47, 45, 46, 49, 48, 35, 50, 1, 49, ++ 53, 49, 5, 6, 7, 8, 9, 10, 11, 49, ++ 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, ++ 49, 24, 25, 26, 27, 28, 49, 49, 31, 32, ++ 49, 1, 96, 82, 155, 38, 109, 50, 114, 42, ++ -1, -1, 45, 46, -1, 48, -1, 50, 1, -1, ++ 53, 105, 5, 6, 7, 8, 9, 10, 11, 12, ++ 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, ++ 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, ++ -1, -1, -1, -1, -1, 38, -1, -1, -1, 42, ++ -1, -1, 45, -1, 1, 48, -1, 50, 5, 6, ++ 7, 8, 9, 10, 11, -1, 13, 14, 15, 16, ++ 17, 18, 19, 20, 21, 22, -1, 24, 25, 26, ++ 27, 28, -1, -1, 31, 32, -1, -1, -1, -1, ++ 37, -1, -1, -1, -1, 42, -1, -1, -1, 1, ++ -1, -1, 49, 5, 6, 7, 8, 9, 10, 11, ++ -1, 13, 14, 15, 16, 17, 18, 19, 20, 21, ++ 22, -1, 24, 25, 26, 27, 28, -1, -1, 31, ++ 32, -1, -1, -1, -1, 37, -1, -1, -1, -1, ++ 42, -1, -1, -1, 1, -1, -1, 49, 5, 6, ++ 7, 8, 9, 10, 11, -1, 13, 14, 15, 16, ++ 17, 18, 19, 20, 21, 22, -1, 24, 25, 26, ++ 27, 28, -1, -1, 31, 32, -1, -1, -1, -1, ++ 37, -1, -1, -1, -1, 42, -1, -1, -1, -1, ++ -1, -1, 49, 5, 6, 7, 8, 9, 10, 11, ++ -1, 13, 14, 15, 16, 17, 18, 19, 20, 21, ++ 22, -1, 24, 25, 26, 27, 28, -1, -1, 31, ++ 32, -1, -1, -1, -1, -1, 38, -1, -1, -1, ++ 42, -1, -1, -1, -1, -1, 48, -1, 50, 5, + 6, 7, 8, 9, 10, 11, -1, 13, 14, 15, + 16, 17, 18, 19, 20, 21, 22, -1, 24, 25, +- 26, 27, 28, -1, -1, 31, -1, -1, -1, -1, +- 36, -1, -1, -1, -1, 41, 5, 6, 7, 8, +- 9, 10, 11, -1, 13, 14, 15, 16, 17, 18, +- 19, 20, 21, 22, -1, 24, 25, 26, 27, 28, +- -1, -1, 31, -1, -1, -1, -1, -1, -1, -1, +- -1, -1, 41 ++ 26, 27, 28, -1, -1, 31, 32, -1, -1, -1, ++ -1, 37, -1, -1, -1, -1, 42, 5, 6, 7, ++ 8, 9, 10, 11, -1, 13, 14, 15, 16, 17, ++ 18, 19, 20, 21, 22, -1, 24, 25, 26, 27, ++ 28, -1, -1, 31, 32, -1, -1, -1, -1, -1, ++ -1, -1, -1, -1, 42 + }; + + /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing + symbol of state STATE-NUM. */ + static const yytype_uint8 yystos[] = + { +- 0, 54, 55, 56, 0, 55, 1, 5, 6, 7, ++ 0, 55, 56, 57, 0, 56, 1, 5, 6, 7, + 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, + 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, +- 28, 29, 30, 31, 41, 57, 60, 64, 65, 66, +- 67, 68, 69, 73, 84, 99, 101, 44, 45, 37, +- 51, 96, 23, 37, 51, 87, 59, 37, 87, 47, +- 47, 44, 37, 47, 48, 61, 62, 63, 70, 74, +- 75, 66, 96, 37, 97, 98, 58, 87, 1, 64, +- 88, 89, 90, 60, 64, 87, 65, 37, 1, 74, +- 71, 72, 73, 44, 46, 74, 30, 32, 100, 33, +- 47, 50, 45, 46, 60, 44, 45, 37, 41, 47, +- 52, 70, 76, 77, 91, 92, 93, 94, 45, 1, +- 90, 74, 48, 49, 49, 49, 49, 73, 63, 95, +- 1, 65, 78, 79, 80, 81, 34, 45, 98, 94, +- 1, 37, 76, 34, 76, 95, 33, 47, 44, 46, +- 49, 44, 31, 50, 85, 86, 49, 37, 41, 47, +- 70, 82, 83, 49, 36, 46, 49, 49, 1, 78, +- 93, 34, 1, 41, 82, 82, 33, 47, 36, 81, +- 49, 49, 49, 49, 1, 78, 49, 49 ++ 28, 29, 30, 31, 32, 42, 58, 61, 65, 66, ++ 67, 68, 69, 70, 74, 85, 100, 102, 45, 46, ++ 38, 52, 97, 23, 38, 52, 88, 60, 38, 88, ++ 48, 48, 45, 38, 48, 50, 62, 63, 64, 71, ++ 75, 76, 67, 97, 38, 98, 99, 59, 88, 1, ++ 65, 89, 90, 91, 61, 65, 88, 66, 82, 38, ++ 1, 75, 72, 73, 74, 45, 47, 75, 30, 33, ++ 101, 34, 48, 51, 46, 47, 61, 45, 46, 38, ++ 42, 48, 53, 71, 77, 78, 92, 93, 94, 95, ++ 46, 1, 91, 75, 38, 42, 48, 71, 83, 84, ++ 49, 49, 49, 49, 74, 64, 96, 1, 79, 80, ++ 81, 82, 35, 46, 99, 95, 1, 38, 77, 35, ++ 77, 96, 34, 48, 45, 47, 1, 42, 83, 83, ++ 34, 48, 45, 31, 51, 86, 87, 49, 49, 37, ++ 47, 49, 49, 1, 79, 94, 49, 49, 1, 79, ++ 35, 37, 82, 49, 49, 49, 49 + }; + + #define yyerrok (yyerrstatus = 0) +@@ -890,17 +895,18 @@ static const yytype_uint8 yystos[] = + + #define YYRECOVERING() (!!yyerrstatus) + +-#define YYBACKUP(Token, Value) \ +-do \ +- if (yychar == YYEMPTY && yylen == 1) \ +- { \ +- yychar = (Token); \ +- yylval = (Value); \ +- YYPOPSTACK (1); \ +- goto yybackup; \ +- } \ +- else \ +- { \ ++#define YYBACKUP(Token, Value) \ ++do \ ++ if (yychar == YYEMPTY) \ ++ { \ ++ yychar = (Token); \ ++ yylval = (Value); \ ++ YYPOPSTACK (yylen); \ ++ yystate = *yyssp; \ ++ goto yybackup; \ ++ } \ ++ else \ ++ { \ + yyerror (YY_("syntax error: cannot back up")); \ + YYERROR; \ + } \ +@@ -995,6 +1001,8 @@ yy_symbol_value_print (yyoutput, yytype, yyvaluep) + YYSTYPE const * const yyvaluep; + #endif + { ++ FILE *yyo = yyoutput; ++ YYUSE (yyo); + if (!yyvaluep) + return; + # ifdef YYPRINT +@@ -1246,12 +1254,12 @@ static int + yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg, + yytype_int16 *yyssp, int yytoken) + { +- YYSIZE_T yysize0 = yytnamerr (0, yytname[yytoken]); ++ YYSIZE_T yysize0 = yytnamerr (YY_NULL, yytname[yytoken]); + YYSIZE_T yysize = yysize0; + YYSIZE_T yysize1; + enum { YYERROR_VERBOSE_ARGS_MAXIMUM = 5 }; + /* Internationalized format string. */ +- const char *yyformat = 0; ++ const char *yyformat = YY_NULL; + /* Arguments of yyformat. */ + char const *yyarg[YYERROR_VERBOSE_ARGS_MAXIMUM]; + /* Number of reported tokens (one for the "unexpected", one per +@@ -1311,7 +1319,7 @@ yysyntax_error (YYSIZE_T *yymsg_alloc, char **yymsg, + break; + } + yyarg[yycount++] = yytname[yyx]; +- yysize1 = yysize + yytnamerr (0, yytname[yyx]); ++ yysize1 = yysize + yytnamerr (YY_NULL, yytname[yyx]); + if (! (yysize <= yysize1 + && yysize1 <= YYSTACK_ALLOC_MAXIMUM)) + return 2; +@@ -1463,7 +1471,7 @@ yyparse () + `yyss': related to states. + `yyvs': related to semantic values. + +- Refer to the stacks thru separate pointers, to allow yyoverflow ++ Refer to the stacks through separate pointers, to allow yyoverflow + to reallocate them elsewhere. */ + + /* The state stack. */ +@@ -2346,7 +2354,7 @@ yyabortlab: + yyresult = 1; + goto yyreturn; + +-#if !defined(yyoverflow) || YYERROR_VERBOSE ++#if !defined yyoverflow || YYERROR_VERBOSE + /*-------------------------------------------------. + | yyexhaustedlab -- memory exhaustion comes here. | + `-------------------------------------------------*/ +diff --git a/scripts/genksyms/parse.tab.h_shipped b/scripts/genksyms/parse.tab.h_shipped +index 93240a3..a4737de 100644 +--- a/scripts/genksyms/parse.tab.h_shipped ++++ b/scripts/genksyms/parse.tab.h_shipped +@@ -1,8 +1,8 @@ +-/* A Bison parser, made by GNU Bison 2.5. */ ++/* A Bison parser, made by GNU Bison 2.5.1. */ + + /* Bison interface for Yacc-like parsers in C + +- Copyright (C) 1984, 1989-1990, 2000-2011 Free Software Foundation, Inc. ++ Copyright (C) 1984, 1989-1990, 2000-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by +@@ -66,18 +66,19 @@ + EXPORT_SYMBOL_KEYW = 284, + ASM_PHRASE = 285, + ATTRIBUTE_PHRASE = 286, +- BRACE_PHRASE = 287, +- BRACKET_PHRASE = 288, +- EXPRESSION_PHRASE = 289, +- CHAR = 290, +- DOTS = 291, +- IDENT = 292, +- INT = 293, +- REAL = 294, +- STRING = 295, +- TYPE = 296, +- OTHER = 297, +- FILENAME = 298 ++ TYPEOF_PHRASE = 287, ++ BRACE_PHRASE = 288, ++ BRACKET_PHRASE = 289, ++ EXPRESSION_PHRASE = 290, ++ CHAR = 291, ++ DOTS = 292, ++ IDENT = 293, ++ INT = 294, ++ REAL = 295, ++ STRING = 296, ++ TYPE = 297, ++ OTHER = 298, ++ FILENAME = 299 + }; + #endif + +diff --git a/scripts/genksyms/parse.y b/scripts/genksyms/parse.y +index 23c3999..b9f4cf2 100644 +--- a/scripts/genksyms/parse.y ++++ b/scripts/genksyms/parse.y +@@ -103,6 +103,7 @@ static void record_compound(struct string_list **keyw, + + %token ASM_PHRASE + %token ATTRIBUTE_PHRASE ++%token TYPEOF_PHRASE + %token BRACE_PHRASE + %token BRACKET_PHRASE + %token EXPRESSION_PHRASE +@@ -220,8 +221,8 @@ storage_class_specifier: + type_specifier: + simple_type_specifier + | cvar_qualifier +- | TYPEOF_KEYW '(' decl_specifier_seq '*' ')' +- | TYPEOF_KEYW '(' decl_specifier_seq ')' ++ | TYPEOF_KEYW '(' parameter_declaration ')' ++ | TYPEOF_PHRASE + + /* References to s/u/e's defined elsewhere. Rearrange things + so that it is easier to expand the definition fully later. */ +-- +cgit v0.11.2 + diff --git a/src/squid-accounting/acct.de.pl b/src/squid-accounting/acct.de.pl index 0291a9d..c139d03 100644 --- a/src/squid-accounting/acct.de.pl +++ b/src/squid-accounting/acct.de.pl @@ -77,7 +77,7 @@ 'acct mailuser' => 'Benutzername', 'acct mailpass' => 'Passwort', 'acct mailrcpt' => 'E-Mail-Empfänger', -'acct mailsender' => 'E-Mail Absender', +'acct mailsender' => 'E-Mail-Absender', 'acct mailtxt' => 'Text der Rechnungsmails', 'acct mb' => 'MB', 'acct members' => 'Mitglieder',

hooks/post-receive -- IPFire 2.x development tree