This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via 6fc3f2e685d42d9c6261ca281740ce067ab6e00d (commit) via e7dafc3e3eb7be7e685fe0e7b3999fd6f264c80b (commit) via f0ce8b2c8853041cd708a0cef88b1bd22cbf88df (commit) via d66433fca6323940ac217d7a0834a0b178d509eb (commit) via 49ce16f9bea9f1812be5cb41ef7b390556fc2364 (commit) via 8d76eb20852a695b15e6fd32076128a25fad01d1 (commit) via bfd5cfa9c6949eca6319a774b871007c9da8fd0e (commit) via a485606c27781a5439d38fcde662a786cb5671d9 (commit) from 4fc1a0045b48b1a459256d146030279c9905a13e (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 6fc3f2e685d42d9c6261ca281740ce067ab6e00d Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Apr 9 07:31:23 2019 +0200
core130: insert a core update for urgent fixes.
the bigger changes for suricata and kernel need longer time for test so we insert a core with smaller but important fixes.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit e7dafc3e3eb7be7e685fe0e7b3999fd6f264c80b Author: Arne Fitzenreiter arne_f@ipfire.org Date: Tue Apr 9 07:30:26 2019 +0200
core130: ship strongswan
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit f0ce8b2c8853041cd708a0cef88b1bd22cbf88df Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 8 11:56:58 2019 +0100
core130: Ship perl-Net-SSLeay
This was still using the old version of OpenSSL.
Instead of linking the module (which we should have found earlier) the module uses dlopen :(
Fixes: #12044 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d66433fca6323940ac217d7a0834a0b178d509eb Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 8 16:41:24 2019 +0100
strongswan: Manually install all routes for non-routed VPNs
This is a regression from disabling charon.install_routes.
VPNs are routing fine as long as traffic is passing through the firewall. Traps are not propertly used as long as these routes are not present and therefore we won't trigger any tunnels when traffic originates from the firewall.
Fixes: #12045 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 49ce16f9bea9f1812be5cb41ef7b390556fc2364 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 4 02:07:16 2019 +0100
core130: Ship updated wget
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8d76eb20852a695b15e6fd32076128a25fad01d1 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Apr 4 09:43:50 2019 +0200
wget: Update to 1.20.2
For details see: https://fossies.org/linux/wget/ChangeLog
Excerpt from "NEWS":
* Changes in Wget 1.20.2 ** NTLM authentication will retry under certain cases ** Fixed a buffer overflow vulnerability"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit bfd5cfa9c6949eca6319a774b871007c9da8fd0e Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Mar 27 20:54:10 2019 +0100
clamav: Update to 0.101.2
For details see: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
"ClamAV 0.101.2 is a patch release to address a handful of security related bugs."
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a485606c27781a5439d38fcde662a786cb5671d9 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 18 15:24:56 2019 +0000
ipsec-interfaces: Apply static routes (again) after creating IPsec interfaces
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/{129 => 130}/exclude | 0 .../{oldcore/120 => core/130}/filelists/Net_SSLeay | 0 config/rootfiles/core/130/filelists/files | 3 + .../core/{129 => 130}/filelists/strongswan | 0 .../{oldcore/104 => core/130}/filelists/wget | 0 config/rootfiles/core/{129 => 130}/update.sh | 2 +- config/rootfiles/packages/clamav | 6 +- lfs/clamav | 8 +- lfs/strongswan | 1 + lfs/wget | 6 +- make.sh | 4 +- src/patches/strongswan-ipfire-revert.patch | 113 +++++++++++++++++++++ src/scripts/ipsec-interfaces | 100 ++++++++++++++++++ 13 files changed, 230 insertions(+), 13 deletions(-) copy config/rootfiles/core/{129 => 130}/exclude (100%) copy config/rootfiles/{oldcore/120 => core/130}/filelists/Net_SSLeay (100%) create mode 100644 config/rootfiles/core/130/filelists/files copy config/rootfiles/core/{129 => 130}/filelists/strongswan (100%) copy config/rootfiles/{oldcore/104 => core/130}/filelists/wget (100%) copy config/rootfiles/core/{129 => 130}/update.sh (99%) create mode 100644 src/patches/strongswan-ipfire-revert.patch
Difference in files: diff --git a/config/rootfiles/core/130/exclude b/config/rootfiles/core/130/exclude new file mode 100644 index 000000000..b22159878 --- /dev/null +++ b/config/rootfiles/core/130/exclude @@ -0,0 +1,28 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/log/dhcpcd.log +var/log/messages +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/130/filelists/Net_SSLeay b/config/rootfiles/core/130/filelists/Net_SSLeay new file mode 120000 index 000000000..13fe0560c --- /dev/null +++ b/config/rootfiles/core/130/filelists/Net_SSLeay @@ -0,0 +1 @@ +../../../common/Net_SSLeay \ No newline at end of file diff --git a/config/rootfiles/core/130/filelists/files b/config/rootfiles/core/130/filelists/files new file mode 100644 index 000000000..98b8fec39 --- /dev/null +++ b/config/rootfiles/core/130/filelists/files @@ -0,0 +1,3 @@ +etc/system-release +etc/issue +usr/local/bin/ipsec-interfaces diff --git a/config/rootfiles/core/130/filelists/strongswan b/config/rootfiles/core/130/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/130/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/130/filelists/wget b/config/rootfiles/core/130/filelists/wget new file mode 120000 index 000000000..fcb57dfec --- /dev/null +++ b/config/rootfiles/core/130/filelists/wget @@ -0,0 +1 @@ +../../../common/wget \ No newline at end of file diff --git a/config/rootfiles/core/130/update.sh b/config/rootfiles/core/130/update.sh new file mode 100644 index 000000000..f072e8052 --- /dev/null +++ b/config/rootfiles/core/130/update.sh @@ -0,0 +1,77 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2019 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=130 + +# Remove old core updates from pakfire cache to save space... +for (( i=1; i<=$core; i++ )); do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services +/etc/init.d/squid stop +/usr/local/bin/openvpnctrl -k +/usr/local/bin/openvpnctrl -kn2n +/usr/local/bin/ipsecctrl D +/etc/init.d/unbound stop + +# Remove files +rm -vf \ + /usr/lib/firewall/ipsec-block + +# Extract files +extract_files + +# update linker config +ldconfig + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Start services +/etc/init.d/firewall restart +/etc/init.d/unbound start +/usr/local/bin/ipsecctrl S +/usr/local/bin/openvpnctrl -s +/usr/local/bin/openvpnctrl -sn2n +/etc/init.d/squid start + +# This update needs a reboot... +#touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi + +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav index e95d4dc6e..9d6d68647 100644 --- a/config/rootfiles/packages/clamav +++ b/config/rootfiles/packages/clamav @@ -13,7 +13,7 @@ usr/bin/sigtool #usr/lib/libclamav.la usr/lib/libclamav.so usr/lib/libclamav.so.9 -usr/lib/libclamav.so.9.0.1 +usr/lib/libclamav.so.9.0.2 #usr/lib/libclammspack.la usr/lib/libclammspack.so usr/lib/libclammspack.so.0 @@ -21,11 +21,11 @@ usr/lib/libclammspack.so.0.1.0 #usr/lib/libclamunrar.la usr/lib/libclamunrar.so usr/lib/libclamunrar.so.9 -usr/lib/libclamunrar.so.9.0.1 +usr/lib/libclamunrar.so.9.0.2 #usr/lib/libclamunrar_iface.la usr/lib/libclamunrar_iface.so usr/lib/libclamunrar_iface.so.9 -usr/lib/libclamunrar_iface.so.9.0.1 +usr/lib/libclamunrar_iface.so.9.0.2 #usr/lib/pkgconfig/libclamav.pc usr/sbin/clamd #usr/share/man/man1/clambc.1 diff --git a/lfs/clamav b/lfs/clamav index a6e44ebf2..640691408 100644 --- a/lfs/clamav +++ b/lfs/clamav @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 0.101.1 +VER = 0.101.2
THISAPP = clamav-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = clamav -PAK_VER = 43 +PAK_VER = 44
DEPS = ""
@@ -50,7 +50,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9c137d6172f6e132e08e61fe25b636f8 +$(DL_FILE)_MD5 = faeb0e286e76c2a26e2e10845e4b68db
install : $(TARGET)
diff --git a/lfs/strongswan b/lfs/strongswan index 4174f78fe..714537e36 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-revert.patch
cd $(DIR_APP) && ./configure \ --prefix="/usr" \ diff --git a/lfs/wget b/lfs/wget index b8c83d10d..ac2fa826c 100644 --- a/lfs/wget +++ b/lfs/wget @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.20.1 +VER = 1.20.2
THISAPP = wget-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = f6ebe9c7b375fc9832fb1b2028271fb7 +$(DL_FILE)_MD5 = 2692f6678e93601441306b5c1fc6a77a
install : $(TARGET)
diff --git a/make.sh b/make.sh index 3453c6719..08cf31901 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.21" # Version number -CORE="129" # Core Level (Filename) -PAKFIRE_CORE="129" # Core Level (PAKFIRE) +CORE="130" # Core Level (Filename) +PAKFIRE_CORE="130" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir diff --git a/src/patches/strongswan-ipfire-revert.patch b/src/patches/strongswan-ipfire-revert.patch new file mode 100644 index 000000000..91c76212e --- /dev/null +++ b/src/patches/strongswan-ipfire-revert.patch @@ -0,0 +1,113 @@ +--- strongswan-5.7.2/src/_updown/_updown.in.bak 2019-04-08 16:27:08.549214441 +0100 ++++ strongswan-5.7.2/src/_updown/_updown.in 2019-04-08 16:30:30.195868788 +0100 +@@ -130,36 +130,6 @@ + # address family. + # + +-VARS=( +- id status name lefthost type ctype psk local local_id leftsubnets +- remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 +- x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22 +- route x23 mode interface_mode interface_address interface_mtu rest +-) +- +-function ip_encode() { +- local IFS=. +- +- local int=0 +- for field in $1; do +- int=$(( $(( $int << 8 )) | $field )) +- done +- +- echo $int +-} +- +-function ip_in_subnet() { +- local netmask +- netmask=$(_netmask $2) +- [ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ] +-} +- +-function _netmask() { +- local vlsm +- vlsm=${1#*/} +- [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) )) +-} +- + # define a minimum PATH environment in case it is not set + PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" + export PATH +@@ -326,13 +296,6 @@ + fi + ;; + up-client:iptables) +- # Read IPsec configuration +- while IFS="," read -r "${VARS[@]}"; do +- if [ "${PLUTO_CONNECTION}" = "${name}" ]; then +- break +- fi +- done < /var/ipfire/vpn/config +- + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. +@@ -396,30 +359,6 @@ + logger -t $TAG -p $FAC_PRIO \ + "tunnel+ $PLUTO_PEER -- $PLUTO_ME" + fi +- +- if [ -z "${interface_mode}" ]; then +- # Add source nat so also the gateway can access the other nets +- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do +- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" +- if [ $? -eq 0 ]; then +- src=${_src} +- break +- fi +- done +- +- if [ -n "${src}" ]; then +- iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src +- logger -t $TAG -p $FAC_PRIO \ +- "snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT" +- fi +- fi +- +- # Flush routing cache +- ip route flush cache + ;; + down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down +@@ -487,28 +426,6 @@ + logger -t $TAG -p $FAC_PRIO \ + "tunnel- $PLUTO_PEER -- $PLUTO_ME" + fi +- +- # remove source nat +- eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) +- for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do +- ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}" +- if [ $? -eq 0 ]; then +- src=${_src} +- break +- fi +- done +- +- if [ -n "${src}" ]; then +- iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src +- logger -t $TAG -p $FAC_PRIO \ +- "snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src" +- else +- logger -t $TAG -p $FAC_PRIO \ +- "Cannot remove NAT rule because no IP of the IPFire does match the subnet." +- fi +- +- # Flush routing cache +- ip route flush cache + ;; + # + # IPv6 diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces index 0e43fccbc..2546f8927 100644 --- a/src/scripts/ipsec-interfaces +++ b/src/scripts/ipsec-interfaces @@ -23,9 +23,19 @@ shopt -s nullglob
VPN_CONFIG="/var/ipfire/vpn/config"
+ROUTE_TABLE="220" +ROUTE_TABLE_PRIO="128" + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
+# Get RED interface name +if [ -r "/var/ipfire/red/iface" ]; then + RED_INTF="$(</var/ipfire/red/iface)" +else + RED_INTF="red0" +fi + VARS=( id status name lefthost type ctype psk local local_id leftsubnets remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 @@ -43,6 +53,52 @@ resolve_hostname() { dig +short A "${hostname}" | tail -n1 }
+ip_encode() { + local address="${1}" + + local int=0 + for field in ${address//./ }; do + int=$(( $(( ${int} << 8 )) | ${field} )) + done + + echo ${int} +} + +function ip_in_subnet() { + local address="${1}" + local subnet="${2}" + + local netmask="${subnet#*/}" + + # Convert netmask to prefix if necessary + case "${netmask}" in + [0-9]+) + ;; + *) + netmask="$(netmask2prefix "${netmask}")" + ;; + esac + + local vlsm=$(( -1 << $(( 32 - ${netmask} )) )) + + [ "$(( $(ip_encode "${address}") & ${vlsm} ))" -eq "$(( $(ip_encode "${subnet%/*}") & ${vlsm} ))" ] +} + +netmask2prefix() { + local netmask="${1}" + local mask="$(ip_encode "${netmask}")" + + local cidr=0 + local x="$(( 128 << 24 ))" # 0x80000000 + + while [ $(( ${x} & ${mask} )) -ne 0 ]; do + [ ${mask} -eq ${x} ] && mask=0 || mask=$(( ${mask} << 1 )) + cidr=$(( ${cidr} + 1 )) + done + + echo "${cidr}" +} + main() { # Register local variables local "${VARS[@]}" @@ -50,8 +106,17 @@ main() {
local interfaces=()
+ # Flush IPsec routes + ip route flush table "${ROUTE_TABLE}" + + # Remove lookups + ip rule del lookup "${ROUTE_TABLE}" + # We are done when IPsec is not enabled if [ "${ENABLED}" = "on" ]; then + # Enable route table lookup + ip rule add lookup "${ROUTE_TABLE}" prio "${ROUTE_TABLE_PRIO}" + while IFS="," read -r "${VARS[@]}"; do # Check if the connection is enabled [ "${status}" = "on" ] || continue @@ -65,6 +130,38 @@ main() { local intf="${interface_mode}${id}" ;; *) + # Install routes + local address + + local _address + for _address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do + local leftsubnet + for leftsubnet in ${leftsubnets//|/ }; do + if ip_in_subnet "${_address}" "${leftsubnet}"; then + address="${_address}" + break + fi + done + + # End loop when address is set + [ -n "${address}" ] && break + done + + local rightsubnet + for rightsubnet in ${rightsubnets//|/ }; do + # Ignore default + case "${rightsubnet}" in + 0.0.0.0/*) + continue + ;; + esac + + log "Creating route to ${rightsubnet} (via ${address} and ${RED_INTF})" + ip route add table "${ROUTE_TABLE}" "${rightsubnet}" proto static \ + dev "${RED_INTF}" src "${address}" + done + + # No interface processing required continue ;; esac @@ -167,6 +264,9 @@ main() { log "Deleting interface ${intf}" ip link del "${intf}" &>/dev/null done + + # (Re-)Apply all static routes + /etc/init.d/static-routes start }
main || exit $?
hooks/post-receive -- IPFire 2.x development tree