This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via dc9ac30c8dfb157c8ac7af5849d166f42462b08d (commit) via 745915d82c3b2ca68275241425cf12f703b18f48 (commit) via 01320a141d68776abbbbe4e22d0f0c5532997371 (commit) from c899be2fd02e24f86f801191652d6083eb5524b9 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit dc9ac30c8dfb157c8ac7af5849d166f42462b08d Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 5 05:08:31 2019 +0100
core133: Ship updated vpnmain.cgi file and regenerate configuration
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 745915d82c3b2ca68275241425cf12f703b18f48 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 5 10:22:53 2019 +0100
vpnmain.cgi: Fix wrong cipher suite generation when PFS is disabled
Fixes: #12091 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 01320a141d68776abbbbe4e22d0f0c5532997371 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Jun 5 11:54:29 2019 +0200
monit: Some fixes for 'monitrc'
Just cosmetics: Removed all trailing spaces - there were a few...
Activated 'monit' start delay: I activated this option to avoid running into a race condition while started through '/etc/init.d/monit start'.
As mentioned in 'monit' manual: "...if a service is slow to start, Monit can assume that the service is not running and possibly try to start it [again] and raise an alert, while, in fact the service is already about to start or already in its startup sequence."
This happened here during testing with (e.g.) Clamav.
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/monit/monitrc | 74 +++++++++++++++---------------- config/rootfiles/core/133/filelists/files | 1 + config/rootfiles/core/133/update.sh | 3 ++ html/cgi-bin/vpnmain.cgi | 4 +- 4 files changed, 43 insertions(+), 39 deletions(-)
Difference in files: diff --git a/config/monit/monitrc b/config/monit/monitrc index 9fee14aad..3c999d041 100644 --- a/config/monit/monitrc +++ b/config/monit/monitrc @@ -5,8 +5,8 @@ ## Comments begin with a '#' and extend through the end of the line. Keywords ## are case insensitive. All path's MUST BE FULLY QUALIFIED, starting with '/'. ## -## Below you will find examples of some frequently used statements. For -## information about the control file and a complete list of statements and +## Below you will find examples of some frequently used statements. For +## information about the control file and a complete list of statements and ## options, please have a look in the Monit manual. ## ## @@ -17,15 +17,15 @@ ## Start Monit in the background (run as a daemon): # set daemon 60 # check services at 1-minute intervals -# with start delay 240 # optional: delay the first check by 4-minutes (by + with start delay 240 # optional: delay the first check by 4-minutes (by # # default Monit check immediately after Monit start) # # ## Set syslog logging with the 'daemon' facility. If the FACILITY option is -## omitted, Monit will use 'user' facility by default. If you want to log to +## omitted, Monit will use 'user' facility by default. If you want to log to ## a standalone log file instead, specify the full path to the log file # -set logfile syslog facility log_daemon +set logfile syslog facility log_daemon # # ## Set the location of the Monit lock file which stores the process id of the @@ -34,7 +34,7 @@ set logfile syslog facility log_daemon set pidfile /var/run/monit.pid # ## Set the location of the Monit id file which stores the unique id for the -## Monit instance. The id is generated and stored on first Monit start. By +## Monit instance. The id is generated and stored on first Monit start. By ## default the file is placed in $HOME/.monit.id. # set idfile /var/lib/monit/id @@ -47,9 +47,9 @@ set idfile /var/lib/monit/id # set statefile /var/lib/monit/state # -## Set the list of mail servers for alert delivery. Multiple servers may be -## specified using a comma separator. If the first mail server fails, Monit -# will use the second mail server in the list and so on. By default Monit uses +## Set the list of mail servers for alert delivery. Multiple servers may be +## specified using a comma separator. If the first mail server fails, Monit +# will use the second mail server in the list and so on. By default Monit uses # port 25 - it is possible to override this with the PORT option. # # set mailserver mail.bar.baz, # primary mailserver @@ -57,10 +57,10 @@ set statefile /var/lib/monit/state # localhost # fallback relay # # -## By default Monit will drop alert events if no mail servers are available. -## If you want to keep the alerts for later delivery retry, you can use the -## EVENTQUEUE statement. The base directory where undelivered alerts will be -## stored is specified by the BASEDIR option. You can limit the queue size +## By default Monit will drop alert events if no mail servers are available. +## If you want to keep the alerts for later delivery retry, you can use the +## EVENTQUEUE statement. The base directory where undelivered alerts will be +## stored is specified by the BASEDIR option. You can limit the queue size ## by using the SLOTS option (if omitted, the queue is limited by space ## available in the back end filesystem). # @@ -69,11 +69,11 @@ set eventqueue slots 100 # optionally limit the queue size # # -## Send status and events to M/Monit (for more informations about M/Monit -## see http://mmonit.com/). By default Monit registers credentials with +## Send status and events to M/Monit (for more informations about M/Monit +## see http://mmonit.com/). By default Monit registers credentials with ## M/Monit so M/Monit can smoothly communicate back to Monit and you don't ## have to register Monit credentials manually in M/Monit. It is possible to -## disable credential registration using the commented out option below. +## disable credential registration using the commented out option below. ## Though, if safety is a concern we recommend instead using https when ## communicating with M/Monit and send credentials encrypted. # @@ -105,8 +105,8 @@ set eventqueue # set mail-format { from: monit@foo.bar }a # # -## You can set alert recipients whom will receive alerts if/when a -## service defined in this file has errors. Alerts may be restricted on +## You can set alert recipients whom will receive alerts if/when a +## service defined in this file has errors. Alerts may be restricted on ## events by using a filter as in the second example below. # # set alert sysadm@foo.bar # receive all alerts @@ -115,9 +115,9 @@ set eventqueue # set alert your-name@your.domain not on { instance, action } # # -## Monit has an embedded web server which can be used to view status of +## Monit has an embedded web server which can be used to view status of ## services monitored and manage services from a web interface. See the -## Monit Wiki if you want to enable SSL for the web server. +## Monit Wiki if you want to enable SSL for the web server. # set httpd port 2812 and use address localhost # only accept connection from localhost @@ -143,15 +143,15 @@ set httpd port 2812 and # if cpu usage (system) > 30% then alert # if cpu usage (wait) > 20% then alert # -# +# ## Check if a file exists, checksum, permissions, uid and gid. In addition -## to alert recipients in the global section, customized alert can be sent to -## additional recipients by specifying a local alert handler. The service may +## to alert recipients in the global section, customized alert can be sent to +## additional recipients by specifying a local alert handler. The service may ## be grouped using the GROUP option. More than one group can be specified by ## repeating the 'group name' statement. -# +# # check file apache_bin with path /usr/local/apache/bin/httpd -# if failed checksum and +# if failed checksum and # expect the sum 8f7f419955cefa0b33a2ba316cba3659 then unmonitor # if failed permission 755 then unmonitor # if failed uid root then unmonitor @@ -161,15 +161,15 @@ set httpd port 2812 and # } with the mail-format { subject: Alarm! } # group server # -# +# ## Check that a process is running, in this case Apache, and that it respond ## to HTTP and HTTPS requests. Check its resource usage such as cpu and memory, -## and number of children. If the process is not running, Monit will restart -## it by default. In case the service is restarted very often and the +## and number of children. If the process is not running, Monit will restart +## it by default. In case the service is restarted very often and the ## problem remains, it is possible to disable monitoring using the TIMEOUT ## statement. This service depends on another service (apache_bin) which ## is defined above. -# +# # check process apache with pidfile /usr/local/apache/logs/httpd.pid # start program = "/etc/init.d/httpd start" with timeout 60 seconds # stop program = "/etc/init.d/httpd stop" @@ -178,7 +178,7 @@ set httpd port 2812 and # if totalmem > 200.0 MB for 5 cycles then restart # if children > 250 then restart # if loadavg(5min) greater than 10 for 8 cycles then stop -# if failed host www.tildeslash.com port 80 protocol http +# if failed host www.tildeslash.com port 80 protocol http # and request "/somefile.html" # then restart # if failed port 443 type tcpssl protocol http @@ -187,8 +187,8 @@ set httpd port 2812 and # if 3 restarts within 5 cycles then timeout # depends on apache_bin # group server -# -# +# +# ## Check filesystem permissions, uid, gid, space and inode usage. Other services, ## such as databases, may depend on this resource and an automatically graceful ## stop may be cascaded to them before the filesystem will become full and data @@ -207,7 +207,7 @@ set httpd port 2812 and # group server # # -## Check a file's timestamp. In this example, we test if a file is older +## Check a file's timestamp. In this example, we test if a file is older ## than 15 minutes and assume something is wrong if its not updated. Also, ## if the file size exceed a given limit, execute a script # @@ -219,8 +219,8 @@ set httpd port 2812 and # if size > 100 MB then exec "/my/cleanup/script" as uid dba and gid dba # # -## Check directory permission, uid and gid. An event is triggered if the -## directory does not belong to the user with uid 0 and gid 0. In addition, +## Check directory permission, uid and gid. An event is triggered if the +## directory does not belong to the user with uid 0 and gid 0. In addition, ## the permissions have to match the octal description of 755 (see chmod(1)). # # check directory bin with path /bin @@ -229,8 +229,8 @@ set httpd port 2812 and # if failed gid 0 then unmonitor # # -## Check a remote host availability by issuing a ping test and check the -## content of a response from a web server. Up to three pings are sent and +## Check a remote host availability by issuing a ping test and check the +## content of a response from a web server. Up to three pings are sent and ## connection to a port and an application level network check is performed. # # check host myserver with address 192.168.1.1 diff --git a/config/rootfiles/core/133/filelists/files b/config/rootfiles/core/133/filelists/files index e822e7501..97a603ad8 100644 --- a/config/rootfiles/core/133/filelists/files +++ b/config/rootfiles/core/133/filelists/files @@ -4,4 +4,5 @@ etc/rc.d/init.d/smt srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/cgi-bin/vpnmain.cgi srv/web/ipfire/cgi-bin/vulnerabilities.cgi diff --git a/config/rootfiles/core/133/update.sh b/config/rootfiles/core/133/update.sh index 7da865be1..9d708f092 100644 --- a/config/rootfiles/core/133/update.sh +++ b/config/rootfiles/core/133/update.sh @@ -59,6 +59,9 @@ telinit u # Update Language cache /usr/local/bin/update-lang-cache
+# Regenerate /etc/ipsec.conf +sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi + # Start services /usr/local/bin/ipsecctrl S /etc/init.d/suricata restart diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index ecf860d85..4b737b3a8 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -3331,14 +3331,14 @@ sub make_algos($$$$$) { push(@algo, "modp$grp"); }
- } elsif ($mode eq "esp" && $pfs) { + } elsif ($mode eq "esp") { my $is_aead = ($enc =~ m/[cg]cm/);
if (!$is_aead) { push(@algo, $int); }
- if ($grp eq "none") { + if ($pfs || $grp eq "none") { # noop } elsif ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1");
hooks/post-receive -- IPFire 2.x development tree