This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, master has been updated via b7c958992df0b2e9275c4df42133e2ebd50e1b8b (commit) via ca06e817b84b8bb737b2811bdc5ad43d034e2c48 (commit) via 65df34a6f60714706cc48386c3ed60ee6e100cf3 (commit) via a201764e756895ed5fc23028863ba3b0e8bb406d (commit) via d3a520fa68d2d0198ddca827a96a4e2cbb595d8a (commit) via 7970d3937287171035336bd63ee28d0cd1c82d62 (commit) via 41d3d33dde1312d6e1556d3279d9c09d925b7452 (commit) via a84b9ed2feb926681ad94273d8c2efc5d7b71b4f (commit) from 11f4726b0d72b6a4a0799bb4548e9ce93bf16911 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit b7c958992df0b2e9275c4df42133e2ebd50e1b8b Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 7 14:37:05 2023 +0000

Core Update 174: Ship parse-func.pl

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit ca06e817b84b8bb737b2811bdc5ad43d034e2c48 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 7 14:35:11 2023 +0000

parse-func.pl: Adjust regular expression to changed 'tc' output

It is not clear at all why they choose to change the tool's output this way in upstream commit 010a8388aea11e767ba3a2506728b9ad9760df0e, but we'll have to make do with this.

Fixes: #13075 Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 65df34a6f60714706cc48386c3ed60ee6e100cf3 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Apr 4 21:12:39 2023 +0000

Do not mark migrate.pl as executable in Git

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit a201764e756895ed5fc23028863ba3b0e8bb406d Author: Peter Müller peter.mueller@ipfire.org Date: Tue Apr 4 20:25:55 2023 +0000

ovpnmain.cgi: Do not determine certificate expiry status for N2N connections

https://wiki.ipfire.org/devel/telco/2023-04-03

Fixes: #13066 Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit d3a520fa68d2d0198ddca827a96a4e2cbb595d8a Author: Peter Müller peter.mueller@ipfire.org Date: Tue Apr 4 20:04:11 2023 +0000

Revert "e2fsprogs: Update to version 1.47.0"

This reverts commit 1f3f26702144ef600eb7937c4ab78e4833e6636f.

Symlink will remain in place to ensure the reverted version is always shipped to our users, including those that have installed Core Update 174 (testing).

Fixes: #13073 Reported-by: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 7970d3937287171035336bd63ee28d0cd1c82d62 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Apr 4 20:02:58 2023 +0000

Core Update 174: Ship ipblocklist-related changes

https://wiki.ipfire.org/devel/telco/2023-04-03

Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 41d3d33dde1312d6e1556d3279d9c09d925b7452 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Mar 28 18:05:42 2023 +0200

update-ipblocklists: Fix loading new blocklists after update

* The script needs to run with root permissions in order to do the ipset operations. So remove code to drop the permissions on startup.

* Adjust execute calls to use the proper functions from general functions.

* Add some code to set the correct ownership (nobody:nobody) for changed files during script runtime.

Fixes #13072.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit a84b9ed2feb926681ad94273d8c2efc5d7b71b4f Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Mar 16 11:34:03 2023 +0100

header.pl: Add reference to colors.txt into header.pl

- With change of common css entries into header.pl with commit https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=b52a84ddc77f9db7e4ad7b12... I had missed that color20 and color22 etc, that come from colors.txt, are not known in header.pl so that the alternate colours in tables were missing. Even though I tested the previous commit I obviously did not look well enough because I missed that the tables had no alternate colours. I just found it now when looking at Core Update 174 Testing. - Confirmed by copying this version of header.pl into my CU174 Testing system and the alternate colour rows came back again as they should be. I am sure now that they are correct.

Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org Tested-by: Bernhard Bitsch bbitsch@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/cfgroot/header.pl | 3 +++ config/cfgroot/ipblocklist-functions.pl | 27 +++++++++++++++++++ config/qos/migrate.pl | 0 config/qos/parse-func.pl | 10 +++---- config/rootfiles/core/174/filelists/files | 3 +++ config/rootfiles/core/174/update.sh | 3 +++ html/cgi-bin/ovpnmain.cgi | 43 +++++++++++++++++++------------ lfs/e2fsprogs | 4 +-- src/scripts/update-ipblocklists | 28 +++++++++----------- 9 files changed, 82 insertions(+), 39 deletions(-) mode change 100755 => 100644 config/qos/migrate.pl

Difference in files: diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl index 955ed2646..3f80ce9b4 100644 --- a/config/cfgroot/header.pl +++ b/config/cfgroot/header.pl @@ -17,6 +17,9 @@ use HTML::Entities(); use Socket; use Time::Local;

+our %color = (); +&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", %color); + $|=1; # line buffering

$Header::revision = 'final'; diff --git a/config/cfgroot/ipblocklist-functions.pl b/config/cfgroot/ipblocklist-functions.pl index ecabf42e8..bd026a01d 100644 --- a/config/cfgroot/ipblocklist-functions.pl +++ b/config/cfgroot/ipblocklist-functions.pl @@ -383,4 +383,31 @@ sub get_holdoff_rate($) { return $value; }

+# +## sub set_ownership(file) +## +## Function to set the correct ownership (nobody:nobody) to a given file. +## +# +sub set_ownership($) { + my ($file) = @_; + + # User and group of the WUI. + my $uname = "nobody"; + my $grname = "nobody"; + + # The chown function implemented in perl requies the user and group as nummeric id's. + my $uid = getpwnam($uname); + my $gid = getgrnam($grname); + + # Check if the given file exists. + unless ($file) { + # Stop the script and print error message. + die "The given $file does not exist. Cannot change the ownership!\n"; + } + + # Change ownership of the file. + chown($uid, $gid, "$file"); +} + 1; diff --git a/config/qos/migrate.pl b/config/qos/migrate.pl old mode 100755 new mode 100644 diff --git a/config/qos/parse-func.pl b/config/qos/parse-func.pl index 991757f92..04ca85b7f 100644 --- a/config/qos/parse-func.pl +++ b/config/qos/parse-func.pl @@ -46,24 +46,24 @@ class htb 1:10 parent 1:1 prio 0 rate 80Kbit ceil 320Kbit burst 1701b cburst 200 lended: 230876 borrowed: 17112 giants: 0 tokens: 127200 ctokens: 37940

-class htb 1:20 parent 1:1 leaf 4220: prio 1 rate 100Kbit ceil 200Kbit burst 1727b cburst 1855b +class htb 1:20 parent 1:1 leaf 4220prio 1 rate 100Kbit ceil 200Kbit burst 1727b cburst 1855b Sent 2495181573 bytes 44034303 pkts (dropped 5837, overlimits 0) lended: 43825585 borrowed: 208718 giants: 0 tokens: 103424 ctokens: 55808

-class htb 1:30 parent 1:1 leaf 4230: prio 3 rate 80Kbit ceil 400Kbit burst 1701b cburst 2111b +class htb 1:30 parent 1:1 leaf 4230prio 3 rate 80Kbit ceil 400Kbit burst 1701b cburst 2111b Sent 2060213567 bytes 5465574 pkts (dropped 121, overlimits 0) rate 16851bps 35pps lended: 4556992 borrowed: 908582 giants: 0 tokens: -25364 ctokens: 32897

-class htb 1:50 parent 1:1 leaf 4250: prio 5 rate 40Kbit ceil 120Kbit burst 1650b cburst 1752b +class htb 1:50 parent 1:1 leaf 4250prio 5 rate 40Kbit ceil 120Kbit burst 1650b cburst 1752b Sent 6071486687 bytes 24448436 pkts (dropped 8086739, overlimits 0) rate 15801bps 85pps backlog 126p lended: 8324530 borrowed: 16123780 giants: 0 tokens: -202717 ctokens: -172499

-class htb 1:666 parent 1:1 leaf 666: prio 7 rate 4Kbit ceil 40Kbit burst 1604b cburst 1650b +class htb 1:666 parent 1:1 leaf 666prio 7 rate 4Kbit ceil 40Kbit burst 1604b cburst 1650b Sent 2148626078 bytes 6771069 pkts (dropped 2078536, overlimits 0) rate 5221bps 17pps backlog 125p lended: 675330 borrowed: 6095613 giants: 0 @@ -94,7 +94,7 @@ sub parse_class($) { my $line=$tc_output[$i]; # Parsing HTB: # ------------ - if ( $line =~ m/class htb (\d+):(\d+)( root| parent )?(\d+:\d+)?( leaf )?(\d+)?:?( prio )?(\d+)? rate (.*) ceil (.*) burst (.*) cburst (.*)/ ) { + if ( $line =~ m/class htb (\d+):(\d+)( root| parent )?(\d+:\d+)?( leaf )?(\d+)?(prio )?(\d+)? rate (.*) ceil (.*) burst (.*) cburst (.*)/ ) { my $type = "htb"; my $major = $1; my $minor = $2; diff --git a/config/rootfiles/core/174/filelists/files b/config/rootfiles/core/174/filelists/files index 8b7058f81..53b01dca6 100644 --- a/config/rootfiles/core/174/filelists/files +++ b/config/rootfiles/core/174/filelists/files @@ -92,7 +92,10 @@ srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/traffic.cgi srv/web/ipfire/cgi-bin/updatexlrator.cgi usr/lib/firewall/rules.pl +usr/local/bin/update-ipblocklists var/ipfire/graphs.pl var/ipfire/header.pl var/ipfire/ids-functions.pl +var/ipfire/ipblocklist-functions.pl var/ipfire/network-functions.pl +var/ipfire/qos/bin/parse-func.pl diff --git a/config/rootfiles/core/174/update.sh b/config/rootfiles/core/174/update.sh index 7acaad64e..25474a7b2 100644 --- a/config/rootfiles/core/174/update.sh +++ b/config/rootfiles/core/174/update.sh @@ -184,6 +184,9 @@ if [ -e "/opt/pakfire/db/installed/meta-perl-TimeDate" ] && [ -e "/opt/pakfire/d /opt/pakfire/db/rootfiles/perl-TimeDate fi

+# Update IP blocklists to resolve fallout of #13072 as quickly as possible +/usr/local/bin/update-location-database + # This update needs a reboot... touch /var/run/need_reboot

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 87bda4f1e..51d6e8431 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -5354,26 +5354,37 @@ END } if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }

- # Fetch information about the certificate - my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", - "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); + # Create some simple booleans to check the status + my $hasExpired; + my $expiresSoon;

- my $expiryDate = 0; + # Fetch information about the certificate for non-N2N connections only + if ($confighash{$key}[3] ne 'net') { + my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", + "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");

- # Parse the certificate information - foreach my $line (@cavalid) { - if ($line =~ /Not After : (.*)[\n]/) { - $expiryDate = &Date::Parse::str2time($1); - last; + my $expiryDate = 0; + + # Parse the certificate information + foreach my $line (@cavalid) { + if ($line =~ /Not After : (.*)[\n]/) { + $expiryDate = &Date::Parse::str2time($1); + last; + } } - }

- # Calculate the remaining time - my $remainingTime = $expiryDate - time(); + # Calculate the remaining time + my $remainingTime = $expiryDate - time();

- # Create some simple booleans to check the status - my $hasExpired = ($remainingTime <= 0); - my $expiresSoon = ($remainingTime <= 30 * 24 * 3600); + # Determine whether the certificate has already expired, or will so soon + $hasExpired = ($remainingTime <= 0); + $expiresSoon = ($remainingTime <= 30 * 24 * 3600); + + } else { + # Populate booleans with dummy values for N2N connections (#13066) + $hasExpired = 0; + $expiresSoon = 0; + }

print "<tr>";

diff --git a/lfs/e2fsprogs b/lfs/e2fsprogs index 8db1c215c..4758b5401 100644 --- a/lfs/e2fsprogs +++ b/lfs/e2fsprogs @@ -24,7 +24,7 @@

include Config

-VER = 1.47.0 +VER = 1.46.5

THISAPP = e2fsprogs-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_BLAKE2 = 84f58b05a9f0e14e1a66c6e5171ff23b022f51c4e9a02d4d6d1d26c91909f3c7ec9c9f0462663a4457b4479043774502b8891f691e58a61f4ef6bf9ba33f33aa +$(DL_FILE)_BLAKE2 = 8d8c02e891c464782a7cff518c41d793fc73366b57e17d80ffc5afd96e6144e354290e667e9710509a9dde4e5dab7e7185c5bf084c5bfd26219f05e5e92e0830

install : $(TARGET)

diff --git a/src/scripts/update-ipblocklists b/src/scripts/update-ipblocklists index 9918cac41..a17b47999 100644 --- a/src/scripts/update-ipblocklists +++ b/src/scripts/update-ipblocklists @@ -32,19 +32,6 @@ require "${General::swroot}/lang.pl"; # Hash to store the settings. my %settings = ();

-# The user and group name as which this script should be run. -my $run_as = 'nobody'; - -# Get user and group id of the user. -my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ]; - -# Check if the script currently runs as root. -if ( $> == 0 ) { - # Drop privileges and switch to the specified user and group. - POSIX::setgid( $gid ); - POSIX::setuid( $uid ); -} - # Establish the connection to the syslog service. openlog('ipblocklist', 'cons', 'user');

@@ -122,6 +109,12 @@ foreach my $blocklist (@blocklists) { &_log_to_syslog("<ERROR> Could not update $blocklist blocklist - Unexpected error!"); } } else { + # Get the filename of the blocklist. + my $ipset_db_file = &IPblocklist::get_ipset_db_file($blocklist); + + # Set the correct ownership. + &IPblocklist::set_ownership($ipset_db_file); + # Log successfull update. &_log_to_syslog("<INFO> Successfully updated $blocklist blocklist.");

@@ -132,22 +125,25 @@ foreach my $blocklist (@blocklists) {

# Check if a blocklist has been updated and therefore needs to be reloaded. if (@updated_blocklists) { + # Set correct ownership to the modified file. + &IPblocklist::set_ownership($IPblocklist::modified_file); + # Loop through the array. foreach my $updated_blocklist (@updated_blocklists) { # Get the blocklist file. my $ipset_db_file = &IPblocklist::get_ipset_db_file($updated_blocklist);

# Call safe system function to reload/update the blocklist. - &General::system("ipset", "restore", "-f", "$ipset_db_file"); + &General::safe_system("ipset", "restore", "-f", "$ipset_db_file");

# The set name contains a "v4" as suffix. my $set_name = "$updated_blocklist" . "v4";

# Swap the sets to use the new one. - &General::system("ipset", "swap", "$set_name", "$updated_blocklist"); + &General::safe_system("ipset", "swap", "$set_name", "$updated_blocklist");

# Destroy the old blocklist. - &General::system("ipset", "destroy", "$set_name"); + &General::safe_system("ipset", "destroy", "$set_name"); } }

hooks/post-receive -- IPFire 2.x development tree