[git.ipfire.org] IPFire 2.x development tree branch, next, updated. ba5da82e9be39e2236a709c9d61f48b217c5dd35

This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, next has been updated via ba5da82e9be39e2236a709c9d61f48b217c5dd35 (commit) via 4fdaa9577b45487dd13df467d09817beafc1e1f1 (commit) via 6408ff8d6a952cd88927a7ba6a7aece6cdfb04c0 (commit) via 78e2c1dce515487d7db912970a1e12202990662d (commit) via fc2b1edc73a536a231a9e89e795ba55e42b902c8 (commit) via 238a47874fe044ae90129bde10b267063c4305f5 (commit) via 2841a675482879a5eb6bfeaabb268066af762e9d (commit) via 3162b6ccfa2fb22513c7d23d29f0509343f46828 (commit) via 1db5f96c5ebbb2074c9c0a3edf29866c4769da11 (commit) via eb0de6531c441663477cf7e139f1bd5321630eef (commit) via 4f455c488ee8542bea4ccbe439351b3e9973c6e4 (commit) via 9c28cd59c1b4f535382e5e4e7952d921af8cc03b (commit) via e33ee46e621eb6967c954a9d3b4683880e372579 (commit) via 87a97a431915849cf6d19e1b7137b4fb0b6dd91d (commit) from dbda89e0fce3514f6d1d1f3d2499d7d26227f34b (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit ba5da82e9be39e2236a709c9d61f48b217c5dd35 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Apr 19 19:55:13 2024 +0000

core186: ship ipblocklist sources

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 4fdaa9577b45487dd13df467d09817beafc1e1f1 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 19 15:39:41 2024 +0200

backup.pl: removes any references to ALIENVAULT & SPAMHAUSEDROP from restores

- This patch ensures that if a restore is carried out from an earlier version that includes ALIENVAULT and/or SPAMHAUS_EDROP that the references will be removed. - This is the same code as was put into the update.sh file with the previous patch of this set.

Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 6408ff8d6a952cd88927a7ba6a7aece6cdfb04c0 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 19 15:39:40 2024 +0200

update.sh: Remove existing entries for ALIENVAULT & SPAMHAUS_EDROP

- This removes any time entries in the modified file for either ALIENVAULT or SPAMHAUS_EDROP. - This also removes any blocklists for either of these sources from the /var/lib/ipblocklist directory. - This patch will ensure that any reference to either of these sources is removed from the ipblocklist files.

Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 78e2c1dce515487d7db912970a1e12202990662d Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 19 15:39:39 2024 +0200

sources: Removal of ALIENVAULT and SPAMHAUS_EDROP from ipblocklist sources

- ALIENVAULT has not been updated since at least Nov 2022 but probably earlier. There is no date for the file to be downloaded but a forum user has log messages from Nov 2022 that indicate the file had not changed as therefore no download occurred. - AT&T aquired AlienVault in August 2018. Somewhere between 2018 and 2022 the list stopped getting updated. AlienVault references on the AT&T website are now for a different product. - Discussed in IPFire conf call of April 2024 and agreed to remove the ALIENVAULT blocklist. - On Apr 10th the Spamhaus eDROP list was merged with the Spamhaus DROP list. The eDROP list is still available but is now empty. Trying to select the SPAMHAUS_EDROP list gives an error message that the blocklist was found to be empty. - This patch removes both the ALIENVAULT and the SPAMHAUS_EDROP lists from the ipblocklist sources file.

Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit fc2b1edc73a536a231a9e89e795ba55e42b902c8 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Apr 19 18:53:27 2024 +0000

core185: ship fixes for bug12763

Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 238a47874fe044ae90129bde10b267063c4305f5 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 11 17:01:08 2024 +0200

oci-setup: Fixes bug12763

- This ensures that all ip route and ip rule commands are redirected to null if the output is not used to feed into a variable. - This will prevent any error messages related to empty iproute tables being displayed during boot if an empty table is accessed.

Fixes: Bug#12763 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 2841a675482879a5eb6bfeaabb268066af762e9d Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 11 17:01:07 2024 +0200

gcp-setup: Fixes bug12763

- This ensures that all ip route and ip rule commands are redirected to null if the output is not used to feed into a variable. - This will prevent any error messages related to empty iproute tables being displayed during boot if an empty table is accessed.

Fixes: Bug#12763 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 3162b6ccfa2fb22513c7d23d29f0509343f46828 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 11 17:01:06 2024 +0200

exoscale-setup: Fixes bug12763

- This ensures that all ip route and ip rule commands are redirected to null if the output is not used to feed into a variable. - This will prevent any error messages related to empty iproute tables being displayed during boot if an empty table is accessed.

Fixes: Bug#12763 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 1db5f96c5ebbb2074c9c0a3edf29866c4769da11 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 11 17:01:05 2024 +0200

azure-setup: Fixes bug12763

- This ensures that all ip route and ip rule commands are redirected to null if the output is not used to feed into a variable. - This will prevent any error messages related to empty iproute tables being displayed during boot if an empty table is accessed.

Fixes: Bug#12763 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit eb0de6531c441663477cf7e139f1bd5321630eef Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 11 17:01:04 2024 +0200

aws-setup: Fixes bug12763

- This ensures that all ip route and ip rule commands are redirected to null if the output is not used to feed into a variable. - This will prevent any error messages related to empty iproute tables being displayed during boot if an empty table is accessed.

Fixes: Bug#12763 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 4f455c488ee8542bea4ccbe439351b3e9973c6e4 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 11 17:01:03 2024 +0200

ip-up: Fixes bug12763

- This ensures that all ip route and ip rule commands are redirected to null if the output is not used to feed into a variable. - This will prevent any error messages related to empty iproute tables being displayed during boot if an empty table is accessed.

Fixes: Bug#12763 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 9c28cd59c1b4f535382e5e4e7952d921af8cc03b Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 11 17:01:02 2024 +0200

red: Fixes bug12763

- This ensures that all ip route and ip rule commands are redirected to null if the output is not used to feed into a variable. - This will prevent any error messages related to empty iproute tables being displayed during boot if an empty table is accessed.

Fixes: Bug#12763 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit e33ee46e621eb6967c954a9d3b4683880e372579 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 11 17:01:01 2024 +0200

static-routes: Fixes bug12763

- This ensures that all ip route and ip rule commands are redirected to null if the output is not used to feed into a variable. - This will prevent any error messages related to empty iproute tables being displayed during boot. - Tested on my vm system and confirmed that the fix in ipsec-interfaces stops the "FIB table does not exist" and "RTNETLINK answers: no such file or directory" messages during boot.

Fixes: Bug#12763 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

commit 87a97a431915849cf6d19e1b7137b4fb0b6dd91d Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 11 17:01:00 2024 +0200

ipsec-interfaces: Fixes bug12763

- Some of the ip route commands are not redirected to null. This causes the "FIB table does not exist" message from bug12763 - This patch makes all ip route commands get redirected to null, preventing the error message from being seen at boot. - One of the ip rule commands is not redirected to null. This causes the "RTNETLINK answers: no such file or directory" message. - This patch makes all ip rule commands get redirected to null, preventing the error message from being seen at boot. - Additional patches in this set ensure that all ip route and ip rule commands in all IPFire code is redirected to null unless the output of the ip route or ip rule command is used in a variable for use elsewhere in the code. - Tested on my vm system and confirmed that the fix in ipsec-interfaces stops the "FIB table does not exist" and "RTNETLINK answers: no such file or directory" messages during boot.

Fixes: Bug#12763 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/backup/backup.pl | 13 ++++++++++++- config/ipblocklist/sources | 12 ------------ config/rootfiles/core/186/filelists/files | 10 ++++++++++ config/rootfiles/core/186/update.sh | 11 +++++++++++ src/initscripts/helper/aws-setup | 2 +- src/initscripts/helper/azure-setup | 2 +- src/initscripts/helper/exoscale-setup | 2 +- src/initscripts/helper/gcp-setup | 4 ++-- src/initscripts/helper/oci-setup | 4 ++-- src/initscripts/networking/red | 4 ++-- src/initscripts/system/static-routes | 6 +++--- src/ppp/ip-up | 2 +- src/scripts/ipsec-interfaces | 8 ++++---- 13 files changed, 50 insertions(+), 30 deletions(-)

Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index b434207400..d848084e94 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -193,7 +193,7 @@ restore_backup() {

# Update OpenVPN CRL /etc/fcron.daily/openvpn-crl-updater - + # Update OpenVPN N2N Client Configs ## Add providers legacy default line to n2n client config files # Check if ovpnconfig exists and is not empty @@ -246,6 +246,17 @@ restore_backup() { -signkey /etc/httpd/server.key \ -out /etc/httpd/server.crt &>/dev/null fi + + # Remove any entry for ALIENVAULT or SPAMHAUS_EDROP from the ipblocklist modified file + # and the associated ipblocklist files from the /var/lib/ipblocklist directory + sed -i '/ALIENVAULT=/d' /var/ipfire/ipblocklist/modified + sed -i '/SPAMHAUS_EDROP=/d' /var/ipfire/ipblocklist/modified + if [ -e /var/lib/ipblocklist/ALIENVAULT.conf ]; then + rm /var/lib/ipblocklist/ALIENVAULT.conf + fi + if [ -e /var/lib/ipblocklist/SPAMHAUS_EDROP.conf ]; then + rm /var/lib/ipblocklist/SPAMHAUS_EDROP.conf + fi return 0 }

diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index be0cf0229d..0835c0f9c3 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -55,12 +55,6 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'parser' => 'ip-or-net-list', 'rate' => '12h', 'category' => 'reputation' }, - 'SPAMHAUS_EDROP' => { 'name' => "Spamhaus Extended Don't Route or Peer List", - 'url' => 'https://www.spamhaus.org/drop/edrop.txt', - 'info' => 'https://www.spamhaus.org/drop/', - 'parser' => 'ip-or-net-list', - 'rate' => '1h', - 'category' => 'reputation' }, 'DSHIELD' => { 'name' => 'Dshield.org Recommended Block List', 'url' => 'https://www.dshield.org/block.txt', 'info' => 'https://dshield.org/', @@ -106,12 +100,6 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'parser' => 'ip-or-net-list',, 'rate' => '1h', 'category' => 'application' }, - 'ALIENVAULT' => { 'name' => 'AlienVault IP Reputation database', - 'url' => 'https://reputation.alienvault.com/reputation.generic', - 'info' => 'https://www.alienvault.com/resource-center/videos/what-is-ip-domain-reputati...', - 'parser' => 'ip-or-net-list', - 'rate' => '1h', - 'category' => 'reputation' }, 'BOGON' => { 'name' => 'Bogus address list (Martian)', 'url' => 'https://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt', 'info' => 'https://www.team-cymru.com/bogon-reference', diff --git a/config/rootfiles/core/186/filelists/files b/config/rootfiles/core/186/filelists/files index 86c9d666a6..c1bb727bd4 100644 --- a/config/rootfiles/core/186/filelists/files +++ b/config/rootfiles/core/186/filelists/files @@ -1,6 +1,16 @@ +etc/rc.d/helper/aws-setup +etc/rc.d/helper/azure-setup +etc/rc.d/helper/exoscale-setup +etc/rc.d/helper/gcp-setup +etc/rc.d/helper/oci-setup +etc/rc.d/init.d/networking/red +etc/rc.d/init.d/static-routes +etc/ppp/ip-up etc/rc.d/init.d/functions etc/rc.d/init.d/grub-btrfsd etc/rc.d/rc0.d/K01grub-btrfsd etc/rc.d/rc3.d/S99grub-btrfsd etc/rc.d/rc6.d/K01grub-btrfsd srv/web/ipfire/cgi-bin/vulnerabilities.cgi +usr/local/bin/ipsec-interfaces +var/ipfire/ipblocklist/sources diff --git a/config/rootfiles/core/186/update.sh b/config/rootfiles/core/186/update.sh index 80510b9342..33e253804b 100644 --- a/config/rootfiles/core/186/update.sh +++ b/config/rootfiles/core/186/update.sh @@ -137,6 +137,17 @@ if [ -e /boot/pakfire-kernel-update ]; then /boot/pakfire-kernel-update ${KVER} fi

+# Remove any entry for ALIENVAULT or SPAMHAUS_EDROP from the ipblocklist modified file +# and the associated ipblocklist files from the /var/lib/ipblocklist directory +sed -i '/ALIENVAULT=/d' /var/ipfire/ipblocklist/modified +sed -i '/SPAMHAUS_EDROP=/d' /var/ipfire/ipblocklist/modified +if [ -e /var/lib/ipblocklist/ALIENVAULT.conf ]; then + rm /var/lib/ipblocklist/ALIENVAULT.conf +fi +if [ -e /var/lib/ipblocklist/SPAMHAUS_EDROP.conf ]; then + rm /var/lib/ipblocklist/SPAMHAUS_EDROP.conf +fi + # This update needs a reboot... touch /var/run/need_reboot

diff --git a/src/initscripts/helper/aws-setup b/src/initscripts/helper/aws-setup index f14f4eb578..0bcf755720 100644 --- a/src/initscripts/helper/aws-setup +++ b/src/initscripts/helper/aws-setup @@ -278,7 +278,7 @@ case "${reason}" in ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"

# Add the default route - ip route add default via "${new_routers}" + ip route add default via "${new_routers}" >/dev/null 2>&1

# Setup DNS for domain_name_server in ${new_domain_name_servers}; do diff --git a/src/initscripts/helper/azure-setup b/src/initscripts/helper/azure-setup index 7a4422a353..eff963a4b1 100644 --- a/src/initscripts/helper/azure-setup +++ b/src/initscripts/helper/azure-setup @@ -298,7 +298,7 @@ case "${reason}" in ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"

# Add the default route - ip route add default via "${new_routers}" + ip route add default via "${new_routers}" >/dev/null 2>&1

# Setup DNS for domain_name_server in ${new_domain_name_servers}; do diff --git a/src/initscripts/helper/exoscale-setup b/src/initscripts/helper/exoscale-setup index 02fdda2a35..acf5e4e4b9 100644 --- a/src/initscripts/helper/exoscale-setup +++ b/src/initscripts/helper/exoscale-setup @@ -227,7 +227,7 @@ case "${reason}" in ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"

# Add the default route - ip route add default via "${new_routers}" + ip route add default via "${new_routers}" >/dev/null 2>&1

# Setup DNS for domain_name_server in ${new_domain_name_servers}; do diff --git a/src/initscripts/helper/gcp-setup b/src/initscripts/helper/gcp-setup index 4f5148c3e2..8273b70b4f 100644 --- a/src/initscripts/helper/gcp-setup +++ b/src/initscripts/helper/gcp-setup @@ -268,8 +268,8 @@ case "${reason}" in ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"

# Add the default route - ip route add "${new_routers}" dev "${interface}" - ip route add default via "${new_routers}" + ip route add "${new_routers}" dev "${interface}" >/dev/null 2>&1 + ip route add default via "${new_routers}" >/dev/null 2>&1

# Setup DNS for domain_name_server in ${new_domain_name_servers}; do diff --git a/src/initscripts/helper/oci-setup b/src/initscripts/helper/oci-setup index 312014b74c..7275373438 100644 --- a/src/initscripts/helper/oci-setup +++ b/src/initscripts/helper/oci-setup @@ -304,8 +304,8 @@ case "${reason}" in ip addr add "${new_ip_address}/${new_subnet_mask}" dev "${interface}"

# Add the default route - ip route add "${new_routers}" dev "${interface}" - ip route add default via "${new_routers}" + ip route add "${new_routers}" dev "${interface}" >/dev/null 2>&1 + ip route add default via "${new_routers}" >/dev/null 2>&1

# Setup DNS for domain_name_server in ${new_domain_name_servers}; do diff --git a/src/initscripts/networking/red b/src/initscripts/networking/red index beb665e5f4..51bf95a436 100644 --- a/src/initscripts/networking/red +++ b/src/initscripts/networking/red @@ -129,10 +129,10 @@ case "${1}" in touch /var/ipfire/red/active

# Create route to default gateway - ip route add ${GATEWAY} dev ${DEVICE} + ip route add ${GATEWAY} dev ${DEVICE} >/dev/null 2>&1

boot_mesg "Setting up default gateway ${GATEWAY}..." - ip route add default via ${GATEWAY} dev ${DEVICE} + ip route add default via ${GATEWAY} dev ${DEVICE} >/dev/null 2>&1 evaluate_retval

if [ -d "/sys/class/net/${DEVICE}" ]; then diff --git a/src/initscripts/system/static-routes b/src/initscripts/system/static-routes index 85785e9af8..9aacc8db5f 100644 --- a/src/initscripts/system/static-routes +++ b/src/initscripts/system/static-routes @@ -29,14 +29,14 @@ function init_table() { return fi

- ip rule add table static + ip rule add table static >/dev/null 2>&1 }

function create_all_routes() { local file=${1} shift

- # Remote all routes. + # Remove all routes. ip route flush table static >/dev/null 2>&1

local status @@ -54,7 +54,7 @@ function create_all_routes() { continue fi

- ip route add ${network} via ${gateway} table static proto static + ip route add ${network} via ${gateway} table static proto static >/dev/null 2>&1 done < ${file} }

diff --git a/src/ppp/ip-up b/src/ppp/ip-up index 2e636e72d9..5f4ee77265 100644 --- a/src/ppp/ip-up +++ b/src/ppp/ip-up @@ -33,7 +33,7 @@ echo -n "$4" > /var/ipfire/red/local-ipaddress echo -n "$5" > /var/ipfire/red/remote-ipaddress touch /var/ipfire/red/active

-/sbin/ip route replace default via ${IPREMOTE} dev ppp0 +/sbin/ip route replace default via ${IPREMOTE} dev ppp0 >/dev/null 2>&1 run_subdir ${rc_base}/init.d/networking/red.up/

#Check if gateway has answerd to ping, if not replace with ping.ipfire.org diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces index 23512b9bd9..974d3ac845 100644 --- a/src/scripts/ipsec-interfaces +++ b/src/scripts/ipsec-interfaces @@ -107,15 +107,15 @@ main() { local interfaces=()

# Flush IPsec routes - ip route flush table "${ROUTE_TABLE}" + ip route flush table "${ROUTE_TABLE}" >/dev/null 2>&1

# Remove lookups - ip rule del lookup "${ROUTE_TABLE}" + ip rule del lookup "${ROUTE_TABLE}" >/dev/null 2>&1

# We are done when IPsec is not enabled if [ "${ENABLED}" = "on" ]; then # Enable route table lookup - ip rule add lookup "${ROUTE_TABLE}" prio "${ROUTE_TABLE_PRIO}" + ip rule add lookup "${ROUTE_TABLE}" prio "${ROUTE_TABLE_PRIO}" >/dev/null 2>&1

while IFS="," read -r "${VARS[@]}"; do # Check if the connection is enabled @@ -158,7 +158,7 @@ main() {

log "Creating route to ${rightsubnet} (via ${address} and ${RED_INTF})" ip route add table "${ROUTE_TABLE}" "${rightsubnet}" proto static \ - dev "${RED_INTF}" src "${address}" + dev "${RED_INTF}" src "${address}" >/dev/null 2>&1 done

# No interface processing required

hooks/post-receive -- IPFire 2.x development tree