[git.ipfire.org] IPFire 2.x development tree branch, next, updated. f0728c790ffce0acc5373bc340596a5e9974c8c1 - IPFire-SCM

29 Jul 2014

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
       via  f0728c790ffce0acc5373bc340596a5e9974c8c1 (commit)
       via  dccbf1bf4e38401bc8be2d74c9bbc41e4f55e3ad (commit)
       via  cea4fc3aaf3fb9b776a2209ccdaff6452e099f8e (commit)
       via  8df091d9680ca0230723fc62b56c9e1d29acb481 (commit)
       via  bc70c8273792c3cbe41edca1a90f62b4ff0666a1 (commit)
       via  5b861b054576b43e5564289ca08875ee28859cbf (commit)
       via  cb8a29b10bcbfa25a135a180ca8cc2c74f54cd52 (commit)
       via  fffc646e743adb4aebdf75972bb2c9fb12e0675e (commit)
       via  7535861c50af78230d509e0440e00abacf3057cb (commit)
      from  4e9a2b57320fc17a2eaee06b60ee508ec79e59b0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f0728c790ffce0acc5373bc340596a5e9974c8c1
Merge: dccbf1b cea4fc3
Author: Arne Fitzenreiter arne_f@git.ipfire.org
Date:   Tue Jul 29 22:01:19 2014 +0200
Merge remote-tracking branch 'origin/master' into next
Conflicts:
    	config/cfgroot/general-functions.pl
commit dccbf1bf4e38401bc8be2d74c9bbc41e4f55e3ad
Author: Arne Fitzenreiter arne_f@git.ipfire.org
Date:   Tue Jul 29 21:57:07 2014 +0200
firewall: add more pscan matches and filter INVALID conntrack packages.
-----------------------------------------------------------------------
Summary of changes:
 config/rootfiles/common/stage2                     |  1 +
 config/rootfiles/core/80/filelists/files           |  3 +++
 config/rootfiles/core/80/update.sh                 |  6 ++---
 html/cgi-bin/logs.cgi/log.dat                      |  2 ++
 lfs/ddns                                           |  2 ++
 src/initscripts/init.d/firewall                    | 29 ++++++++--------------
 src/initscripts/init.d/rngd                        | 10 ++++++--
 ...3-Add-a-program-prefix-to-syslog-messages.patch | 25 +++++++++++++++++++
 8 files changed, 54 insertions(+), 24 deletions(-)
 create mode 100644 src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
Difference in files:

diff --git a/config/rootfiles/common/stage2 b/config/rootfiles/common/stage2
index 39bf555..eb97040 100644
--- a/config/rootfiles/common/stage2
+++ b/config/rootfiles/common/stage2
@@ -98,6 +98,7 @@ usr/local/bin/timezone-transition
 usr/local/bin/update-lang-cache
 #usr/local/include
 #usr/local/lib
+#usr/local/lib/sse2
 #usr/local/sbin
 #usr/local/share
 #usr/local/share/doc
diff --git a/config/rootfiles/core/80/filelists/files b/config/rootfiles/core/80/filelists/files
index 822baa2..a12048d 100644
--- a/config/rootfiles/core/80/filelists/files
+++ b/config/rootfiles/core/80/filelists/files
@@ -4,9 +4,12 @@ etc/logrotate.conf
 etc/rc.d/init.d/cleanfs
 etc/rc.d/init.d/dhcrelay
 etc/rc.d/init.d/dnsmasq
+etc/rc.d/init.d/firewall
 etc/rc.d/init.d/networking/red.up/30-ddns
+etc/rc.d/init.d/rngd
 srv/web/ipfire/cgi-bin/ddns.cgi
 srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat
+srv/web/ipfire/cgi-bin/logs.cgi/log.dat
 srv/web/ipfire/cgi-bin/netexternal.cgi
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
 srv/web/ipfire/cgi-bin/proxy.cgi
diff --git a/config/rootfiles/core/80/update.sh b/config/rootfiles/core/80/update.sh
index b8b5b58..67244c6 100644
--- a/config/rootfiles/core/80/update.sh
+++ b/config/rootfiles/core/80/update.sh
@@ -60,9 +60,6 @@ rm -f \
    /opt/pakfire/db/installed/meta-libgpg-error \
    /opt/pakfire/db/rootfiles/libgpg-error
-# Regenerate squid configuration file
-sudo -u nobody /srv/web/ipfire/cgi-bin/proxy.cgi
-
 # Fix broken proxy configuration permissions
 chown -R nobody.nobody \
    /var/ipfire/proxy/advanced \
@@ -72,6 +69,9 @@ chown -R nobody.nobody \
    /var/ipfire/proxy/squid.conf \
    /var/ipfire/proxy/transparent
+# Regenerate squid configuration file
+sudo -u nobody /srv/web/ipfire/cgi-bin/proxy.cgi
+
 # Generate ddns configuration file
 sudo -u nobody /srv/web/ipfire/cgi-bin/ddns.cgi
diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat
index dacd518..1813862 100644
--- a/html/cgi-bin/logs.cgi/log.dat
+++ b/html/cgi-bin/logs.cgi/log.dat
@@ -51,6 +51,7 @@ $cgiparams{'SECTION'} = 'ipfire';
 my %sections = (
         'ipfire' => '(ipfire: )',
         'red' => '(red:|pppd[.*]: |chat[.*]|pppoe[.*]|pptp[.*]|pppoa[.*]|pppoa3[.*]|pppoeci[.*]|ipppd|ipppd[.*]|kernel: ippp\d|kernel: isdn.*|ibod[.*]|dhcpcd[.*]|modem_run[.*])',
+        'ddns' => '(ddns[\d+]:)',
         'dns' => '(dnsmasq[.*]: )',
         'dhcp' => '(dhcpd: )',
         'clamav' => '(clamd[.*]: |freshclam[.*]: )',
@@ -70,6 +71,7 @@ my %sections = (
 my %trsections = (
         'ipfire' => 'IPFire',
         'red' => 'RED',
+        'ddns' => $Lang::tr{'dynamic dns'},
         'dns' => 'DNS',
         'dhcp' => "$Lang::tr{'dhcp server'}",
         'cron' => 'Cron',
diff --git a/lfs/ddns b/lfs/ddns
index c8348ce..975c8c3 100644
--- a/lfs/ddns
+++ b/lfs/ddns
@@ -71,6 +71,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    @$(PREBUILD)
    @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+	cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
+
    cd $(DIR_APP) && [ -x "configure" ] || sh ./autogen.sh
    cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/var/ipfire
    cd $(DIR_APP) && make $(MAKETUNING)
diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 7a18502..23d0c23 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -64,16 +64,20 @@ iptables_init() {
    iptables -A BADTCP -i lo -j RETURN
# Disallow packets frequently used by port-scanners
-	# nmap xmas
-	iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH  -j PSCAN
-	# Null
-	iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
-	# FIN
+	# NMAP FIN/URG/PSH (XMAS scan)
+	iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN
+	# SYN/RST/ACK/FIN/URG
+	iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN
+	# ALL/ALL
+	iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN
+	# FIN Stealth
    iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN
    # SYN/RST (also catches xmas variants that set SYN+RST+...)
    iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN
    # SYN/FIN (QueSO or nmap OS probe)
    iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN
+	# Null
+	iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN
    # NEW TCP without SYN
    iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN
@@ -83,6 +87,7 @@ iptables_init() {
    # Connection tracking chain
    iptables -N CONNTRACK
    iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+	iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP
# Fix for braindead ISP's
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
@@ -254,20 +259,6 @@ iptables_init() {
    iptables -t nat -N REDNAT
    iptables -t nat -A POSTROUTING -j REDNAT
-	# Filter logging of incoming broadcasts.
-	iptables -N BROADCAST_FILTER
-	iptables -A INPUT -j BROADCAST_FILTER
-
-	iptables -A BROADCAST_FILTER -i "${GREEN_DEV}" -d "${GREEN_BROADCAST}" -j DROP
-
-	if [ -n "${BLUE_DEV}" -a -n "${BLUE_BROADCAST}" ]; then
-		iptables -A BROADCAST_FILTER -i "${BLUE_DEV}" -d "${BLUE_BROADCAST}" -j DROP
-	fi
-
-	if [ -n "${ORANGE_DEV}" -a -n "${ORANGE_BROADCAST}" ]; then
-		iptables -A BROADCAST_FILTER -i "${ORANGE_DEV}" -d "${ORANGE_BROADCAST}" -j DROP
-	fi
-
    # Apply OpenVPN firewall rules
    /usr/local/bin/openvpnctrl --firewall-rules
diff --git a/src/initscripts/init.d/rngd b/src/initscripts/init.d/rngd
index 22437fd..df4aa7d 100644
--- a/src/initscripts/init.d/rngd
+++ b/src/initscripts/init.d/rngd
@@ -28,12 +28,18 @@ case "${1}" in
    	fi
boot_mesg "Starting Random Number Generator Daemon..."
-		loadproc /usr/sbin/rngd --no-tpm=1
+
+		if pidofproc /usr/sbin/rngd &>/dev/null; then
+			# Is already running.
+			echo_ok
+		else
+			loadproc /usr/sbin/rngd --no-tpm=1
+		fi
    	;;
stop)
    	boot_mesg "Stopping Random Number Generator Daemon..."
-		killproc /usr/sbin/rngd
+		killproc -p /var/run/rngd.pid /usr/sbin/rngd
    	;;
restart)
diff --git a/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch b/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
new file mode 100644
index 0000000..978db85
--- /dev/null
+++ b/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch
@@ -0,0 +1,25 @@
+From 21fd4b8d26d01d622185ab8de971a9ee934220a3 Mon Sep 17 00:00:00 2001
+From: Michael Tremer michael.tremer@ipfire.org
+Date: Thu, 24 Jul 2014 13:23:36 +0200
+Subject: [PATCH] Add a program prefix to syslog messages.
+
+---
+ src/ddns/__init__.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/ddns/__init__.py b/src/ddns/__init__.py
+index 22764e6..6fe3a33 100644
+--- a/src/ddns/__init__.py
++++ b/src/ddns/__init__.py
+@@ -42,6 +42,8 @@ def setup_logging():
+ 	handler = logging.handlers.SysLogHandler(address="/dev/log",
+ 		facility=logging.handlers.SysLogHandler.LOG_DAEMON
+ 	)
++	formatter = logging.Formatter("ddns[%(process)d]: %(message)s")
++	handler.setFormatter(formatter)
+ 	handler.setLevel(logging.INFO)
+ 	rootlogger.addHandler(handler)
+ 
+-- 
+1.9.3
+
hooks/post-receive
--
IPFire 2.x development tree

    